Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "WindowsRecovery" ?


  • This topic is locked This topic is locked
6 replies to this topic

#1 galt

galt

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 04 May 2011 - 06:15 PM

Hello,

My PC was infected with "WindowsRecovery" a few day ago. I followed all the steps on this forum and it was fine, I was able to "Unhide" all the files including the "quick Launch".
Apparently it was not completely cured; Last night the PC started with the same symptoms; I repeated all the steps once again - from "rkill" to "unhide"
The Desktop/icons are all restored, however this time, the Quick Launch icons and the "Start Menu - ALL Files" are empty.

I ran "Unhide" again, ran the MAlware Bytes again; I have tried several other methods to recover the "all files" - like checking that the files are not "hidden", running "regsvr32 /i shell32.dll"command etc. from posts on this forum - no luck!

Hoping for help to resolve this problem!

Thanks in advance.

Galat

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:48 PM

Posted 04 May 2011 - 06:31 PM

Can you post the logs from Malwarebytes?

#3 galt

galt
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 04 May 2011 - 08:08 PM

Hello Cryptodan,

Thank you for a very prompt response.
I have attached two logs from MWB below: First one if with the infection/s listed and the second one posted is from the Second run - once the infection was cleared.
After the second attempt to clean the infection, I went and started out all 'disabled' processes - that did not work either.
I went through the Forum and have also run the Defoger and have the DDS log as well.

Additionally, I forgot to mention in my first email that the infected computer is running horribly slow and the IE browser is also crawling although I have 35/35 speed.

Once again, Thanks for helping me!

Galat:

Infected Log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6467

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2011 8:48:15 AM
mbam-log-2011-04-29 (08-48-15).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 309030
Time elapsed: 5 hour(s), 35 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BikMInqAaqKWg (Trojan.FakeAlert) -> Value: BikMInqAaqKWg -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\bikminqaaqkwg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\tushar gala.k_b_h_c.000\local settings\Temp\tmp693E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\tushar gala.k_b_h_c.000\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
===

Cleaned Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6467

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2011 2:48:21 PM
mbam-log-2011-04-29 (14-48-21).txt

Scan type: Quick scan
Objects scanned: 6111
Time elapsed: 12 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:48 PM

Posted 04 May 2011 - 08:31 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#5 galt

galt
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 05 May 2011 - 06:06 PM

Hello Cryptodan,

I have pasted all three logs below per your instructions:
====


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6467

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2011 8:48:15 AM
mbam-log-2011-04-29 (08-48-15).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 309030
Time elapsed: 5 hour(s), 35 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BikMInqAaqKWg (Trojan.FakeAlert) -> Value: BikMInqAaqKWg -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\bikminqaaqkwg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\tushar gala.k_b_h_c.000\local settings\Temp\tmp693E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\tushar gala.k_b_h_c.000\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
===================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/05/2011 at 03:01 AM

Application Version : 4.51.1000

Core Rules Database Version : 6992
Trace Rules Database Version: 4804

Scan type : Complete Scan
Total Scan Time : 05:00:57

Memory items scanned : 617
Memory threats detected : 0
Registry items scanned : 8662
Registry threats detected : 0
File items scanned : 113359
File threats detected : 245

Adware.Tracking Cookie
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@traveladvertising[4].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@web-stat[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@revsci[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@user.lucidmedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@serving-sys[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@tacoda.at.atwola[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@invitemedia[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@tracking.dsmmadvantage[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@pornhub[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adbrite[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@apmebf[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@specificmedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@www.burstnet[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@liveperson[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@pornhublive[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@media2.legacy[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ad.yieldmanager[4].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@www.pornhub[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ru4[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@questionmarket[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@segment-pixel.invitemedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@collective-media[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@hertz.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@fastclick[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@zedo[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@www.googleadservices[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@healthgrades.112.2o7[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@solution.weborama[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@trafficmp[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ero-advertising[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ehg-tiscover.hitbox[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@citi.bridgetrack[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@winzip.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@specificclick[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.pointroll[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.lycos[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@imrworldwide[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adserver.adtechus[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@realmedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@atdmt[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@hitbox[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@mediaplex[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@tribalfusion[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@at.atwola[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ad.wsod[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@bs.serving-sys[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@mediafire[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@networldmedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@content.yieldmanager[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@pointroll[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@linksynergy[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.undertone[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adultfriendfinder[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@advertising[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@statse.webtrendslive[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@usatourist.advertserve[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@doubleclick[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@t.pointroll[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@media6degrees[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@youporn[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@g-pixel.invitemedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@sales.liveperson[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@interclick[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@www.googleadservices[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@lfstmedia[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.m4internet[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ads.youporn[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@liveperson[1].txt
C:\Documents and Settings\Tushar\Cookies\tushar@ad.yieldmanager[2].txt
C:\Documents and Settings\Tushar\Cookies\tushar@atdmt[1].txt
C:\Documents and Settings\Tushar\Cookies\tushar@fastclick[1].txt
C:\Documents and Settings\Tushar\Cookies\tushar@interclick[1].txt
C:\Documents and Settings\Tushar\Cookies\tushar@microsoftwindows.112.2o7[1].txt
a.ads2.msads.net [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
ads1.msn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
bc.youporn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn-www.pornhub.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn.insights.gravity.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn4.specificclick.net [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
core.insightexpressai.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
files.youporn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
hs.interpolls.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
interclick.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
m1.2mdn.net [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
media.scanscout.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
mediaforgews.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
msnbcmedia.msn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
msntest.serving-sys.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
objects.tremormedia.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
pornotube.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
serving-sys.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
static.sexsearch.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
static.youporn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
udn.specificclick.net [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
[ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
[ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
wwwstatic.megaporn.com [ C:\Documents and Settings\Tushar Gala\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@a1.interclick[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@accountonline[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ad.adition[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ad.wsod[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ad.wsod[3].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ad.yieldmanager[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ad.yieldmanager[3].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads.m4internet[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads.pointroll[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads.undertone[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads2.mizuads[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads5.mizuads[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads6.mizuads[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads7.mizuads[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ads8.mizuads[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@adserver.adtechus[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@adv.dmv[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@adxpose[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@atdmt[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@azjmp[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@barcouncilofindia[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@bs.serving-sys[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@chitika[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@citi.bridgetrack[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@citmedialaw[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@collective-media[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@content.yieldmanager[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@dc.tremormedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@dmtracker[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@doubleclick[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@easyclicktravel[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@edge.ru4[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ehg-verizon.hitbox[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@evite.112.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@findlaw[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@findlegalforms[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@imrworldwide[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@in.getclicky[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@interclick[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@interclick[3].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@intheswim.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@invitemedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@kontera[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@library.findlaw[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@liveperson[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@liveperson[3].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@liveperson[4].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@liveperson[5].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@lucidmedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@marriottinternational.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@media6degrees[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@mediabrandsww[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@msnportal.112.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@njentrepreneur[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@overture[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@pointroll[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@pro-market[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@questionmarket[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@realmedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@revsci[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@rotator.adjuggler[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@ru4[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@sales.liveperson[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@serving-sys[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@snapfish.112.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@specificclick[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@specificmedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@superstats[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@tacoda[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@timesofindia.indiatimes[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@trafficmp[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@traveladvertising[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@tribalfusion[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@trvlnet.adbureau[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@videoegg.adbureau[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@vonage.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@web4.realtracker[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@wetheadmedia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@wolterskluwer.122.2o7[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.accountonline[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.barcouncilofindia[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.easyclicktravel[1].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.findlegalforms[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.googleadservices[2].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.googleadservices[3].txt
C:\Documents and Settings\Tushar Gala\Cookies\tushar_gala@www.njentrepreneur[1].txt
a.ads2.msads.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
ads1.msn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
bc.youporn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn-www.pornhub.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn.insights.gravity.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
cdn4.specificclick.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
core.insightexpressai.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
files.youporn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
hs.interpolls.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
interclick.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
m1.2mdn.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
media.scanscout.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
mediaforgews.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
msnbcmedia.msn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
msntest.serving-sys.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
objects.tremormedia.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
pornotube.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
serving-sys.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
static.sexsearch.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
static.youporn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
udn.specificclick.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
[ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
[ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
wwwstatic.megaporn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Application Data\Macromedia\Flash Player\#SharedObjects\SH9364GH ]
a.ads2.msads.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
ads2.msads.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
b.ads2.msads.net [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
cdn1.static.pornhub.phncdn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
files.youporn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.scanscout.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
msnbcmedia.msn.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
pornotube.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
secure-uk.imrworldwide.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
[ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
[ C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ad.wsod[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ad.yieldmanager[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@ad.yieldmanager[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adbrite[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adserver.adtechus[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@adviva[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@apmebf[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@atdmt[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@collective-media[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@fastclick[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@invitemedia[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@media6degrees[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@mediaplex[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@revsci[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@solution.weborama[1].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@specificclick[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@traveladvertising[2].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@traveladvertising[3].txt
C:\Documents and Settings\Tushar Gala.K_B_H_C.000\Cookies\tushar_gala@tribalfusion[1].txt

Trojan.Agent/Gen-Frauder
C:\WINDOWS\INSTALLER\MSI2F2.TMP
======================================================

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-05 17:50:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0802N rev.TK100-28
Running: 4k2ydrvb.exe; Driver: C:\DOCUME~1\TUSHAR~1.000\LOCALS~1\Temp\fgtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xABD08620]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xAB78275C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF743E0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF743E0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF743E120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF743E176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF743E0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF743E10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF743E14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF743E136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF743E1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF743E18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF743E160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77E2760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB978CF80]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900022
.text C:\WINDOWS\system32\svchost.exe[300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F8D
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70082
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70FB9
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70036
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A700A7
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70F5F
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A700DD
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A70F44
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A700F8
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70051
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70F7C
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A700C2
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A60F9E
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A60040
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A60FAF
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A60FCA
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A60025
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A60014
.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A60F8D
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F97
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930022
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0091002F
.text C:\WINDOWS\system32\svchost.exe[300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F83
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B9006E
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F94
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FC0
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900B0
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90093
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F28
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F43
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900DC
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90FA5
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F72
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FD1
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B900C1
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FC0
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80058
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FB2
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70033
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FC3
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[1204] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[1272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1272] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00970F5E
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00970F83
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00970051
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00970040
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970FB9
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970089
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0097006E
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00970F1C
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009700B5
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970F0B
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970F9E
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970F43
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970FCA
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0097001B
.text C:\WINDOWS\system32\services.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0097009A
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F84
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F95
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FA6
.text C:\WINDOWS\system32\services.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1284] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\lsass.exe[1284] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D0014
.text C:\WINDOWS\system32\lsass.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0FD4
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F55
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0076
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F24
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EF8
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EE7
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F13
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00900F8A
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\lsass.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900FAF
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0064
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F0053
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F0038
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0FE3
.text C:\WINDOWS\system32\lsass.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F001D
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE008E
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0073
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0FA5
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0058
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00CB
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00BA
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F61
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F72
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F46
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00A9
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00F0
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC002F
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0FA4
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0FC6
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FB5
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0FD7
.text C:\WINDOWS\system32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF008D
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF007C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF006B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FAC
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FC7
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00E0
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00B9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00FB
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F62
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F3D
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF004E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00A8
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF003D
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F7D
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 88]
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90F8B
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90FB0
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FC1
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90016
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B90FD2
.text C:\WINDOWS\system32\svchost.exe[1596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AF0011
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AF0000
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D60FE5
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D60098
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D60087
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D60FB9
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D6006C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D60040
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D60F81
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D600C9
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D60F3A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D60F55
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D60F1F
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D6005B
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D60000
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D60F92
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D60025
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D60FCA
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D60F70
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C2001B
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C20036
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C20FCA
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C2000A
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C20F83
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C20FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02C20F94
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 8A] {LOOP 0xffffffffffffff8c}
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C20FA5
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02270058
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 02270047
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02270022
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02270000
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02270FD7
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02270011
.text C:\WINDOWS\System32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10000
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B0001E
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00B0002F
.text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F8A
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90089
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90062
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90051
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900A4
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F68
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900BF
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F26
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90F15
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F79
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FC0
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F4B
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FCD
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80F75
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80F90
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B80FAB
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D8, 88]
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FBC
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FC3
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B7004E
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7001D
.text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A1006E
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1005D
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F79
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F94
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FAF
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A100AB
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A1009A
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100E8
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100D7
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F2A
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A1007F
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A100C6
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C002C
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0062
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0FA5
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0F99
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0FB4
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B001D
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B002E
.text C:\WINDOWS\system32\svchost.exe[1892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B000C
.text C:\WINDOWS\system32\svchost.exe[1892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\wuauclt.exe[2428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\wuauclt.exe[2428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\wuauclt.exe[2428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027A0000
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027A007F
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027A0F80
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027A0064
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027A0F9B
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027A0FC0
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027A00B7
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027A0F65
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027A0F39
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027A00D2
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027A00F7
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027A0047
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027A0011
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027A0090
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027A002C
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027A0FDB
.text C:\WINDOWS\system32\wuauclt.exe[2428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027A0F54
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0031
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FA6
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FD2
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FC1
.text C:\WINDOWS\system32\wuauclt.exe[2428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0039
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0FCD
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0080
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0065
.text C:\WINDOWS\system32\wuauclt.exe[2428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF004A
.text C:\WINDOWS\system32\wuauclt.exe[2428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\Explorer.EXE[3440] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0499000A
.text C:\WINDOWS\Explorer.EXE[3440] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04990FDE
.text C:\WINDOWS\Explorer.EXE[3440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04990FEF
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 049E0000
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 049E0082
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 049E0F8D
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 049E0067
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 049E0F9E
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 049E0FCA
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 049E00A9
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 049E0F61
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 049E0F24
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 049E0F35
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 049E00D8
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 049E0FAF
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 049E0011
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 049E0F72
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 049E0FE5
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 049E0036
.text C:\WINDOWS\Explorer.EXE[3440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 049E0F50
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 049D0022
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 049D0F98
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 049D0011
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 049D0000
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 049D0055
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 049D0FEF
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 049D0044
.text C:\WINDOWS\Explorer.EXE[3440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 049D0033
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 049C0053
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!system 77C293C7 5 Bytes JMP 049C0042
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 049C0FD9
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 049C0000
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 049C0FC8
.text C:\WINDOWS\Explorer.EXE[3440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 049C0011
.text C:\WINDOWS\Explorer.EXE[3440] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0496000A
.text C:\WINDOWS\Explorer.EXE[3440] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0496001B
.text C:\WINDOWS\Explorer.EXE[3440] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04960036
.text C:\WINDOWS\Explorer.EXE[3440] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04960051
.text C:\WINDOWS\Explorer.EXE[3440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 049B000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[656] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[656] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A9463D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Edited by Budapest, 05 May 2011 - 08:42 PM.
Links removed ~Budapest


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:48 PM

Posted 05 May 2011 - 08:02 PM

I would now have you run a Free ESET Online Scan and post the results.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:48 PM

Posted 08 May 2011 - 04:19 AM

I am closing this topic since you have also an active topic in the Malware Removal forum. Please continue there.

Link to topic: http://www.bleepingcomputer.com/forums/topic394472.html

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users