Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wuauclt.exe and other weird processes


  • Please log in to reply
15 replies to this topic

#1 j_curley0712

j_curley0712

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 14 June 2011 - 06:22 PM

Hello, I was recently looking at the task manager and found a couple fishy looking processes including wuauclt.exe. I've used malwarebytes and spybot and both did not find anything. I've seen that wuauclt.exe is an undesirable program. My computer seems to work fine, no redirects on sites and I can visit anti virus sites fine.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:11 AM

Posted 20 June 2011 - 05:19 AM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#3 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 20 June 2011 - 05:40 PM

Here's malwarebytes, doing superantispyware next.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6905

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/20/2011 3:36:43 PM
mbam-log-2011-06-20 (15-36-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 397902
Time elapsed: 1 hour(s), 47 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\couponalert_2pei\Installr\1.bin\2pEZSETP.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.

#4 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 20 June 2011 - 08:24 PM

i downloaded superantispyware and followed the steps. Went into safe mode and it scanned and found some stuff. I let it finish removing and rebooted into normal mode. I opened superantispyware and looked for the log under statistics/log and nothing showed up. Don't know what i should do next. I did see the update tab and updated it, might of skipped updating it the first time around. Should I scan again?

#5 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 28 June 2011 - 02:13 AM

are you still there? sorry i haven't replied

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:11 AM

Posted 28 June 2011 - 05:19 AM

There should be a log that was generated Can you bring up Super Anti-Spyware in Normal mode and see if its there?

#7 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 30 June 2011 - 05:00 PM

it doesn't come up in normal mode. could it be that i skipped a step. Can i just start the process all over on saturday july 2.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:11 AM

Posted 30 June 2011 - 06:25 PM

What doesn't come up in Normal Mode?

#9 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 01 July 2011 - 07:33 PM

The super anti spyware scan log i did in safe mode doesn't come up in normal mode

#10 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 05 July 2011 - 08:02 PM

hope your still there, I just did superantispyware again and got the log. I also ended up doing the malwarebytes scan again because it's been awhile.

#11 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 05 July 2011 - 08:03 PM

Malwarebytes

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7028

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/5/2011 2:35:06 PM
mbam-log-2011-07-05 (14-35-06).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 399308
Time elapsed: 1 hour(s), 47 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\2pres.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

#12 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 05 July 2011 - 08:06 PM

Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2011 at 05:51 PM

Application Version : 4.54.1000

Core Rules Database Version : 7374
Trace Rules Database Version: 5186

Scan type : Complete Scan
Total Scan Time : 03:03:26

Memory items scanned : 236
Memory threats detected : 0
Registry items scanned : 6916
Registry threats detected : 2
File items scanned : 169975
File threats detected : 91

Adware.ShopAtHomeSelect
HKU\S-1-5-21-2978790944-2054931435-4022874058-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.Tracking Cookie
C:\Documents and Settings\Justin\Cookies\justin@dc.tremormedia[2].txt
C:\Documents and Settings\Justin\Cookies\justin@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Justin\Cookies\justin@mywebsearch[1].txt
C:\Documents and Settings\Justin\Cookies\justin@www.googleadservices[2].txt
C:\Documents and Settings\Justin\Cookies\justin@imrworldwide[2].txt
s0.2mdn.net [ C:\Documents and Settings\April\Application Data\Macromedia\Flash Player\#SharedObjects\FKKFSMCG ]
C:\Documents and Settings\April\Cookies\april@accounts.youtube[1].txt
cdn.media.abc.com [ C:\Documents and Settings\Justin\Application Data\Macromedia\Flash Player\#SharedObjects\R5PHD2R4 ]
media.ign.com [ C:\Documents and Settings\Justin\Application Data\Macromedia\Flash Player\#SharedObjects\R5PHD2R4 ]
media.mtvnservices.com [ C:\Documents and Settings\Justin\Application Data\Macromedia\Flash Player\#SharedObjects\R5PHD2R4 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Justin\Application Data\Macromedia\Flash Player\#SharedObjects\R5PHD2R4 ]
.serving-sys.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.richmedia.yahoo.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.eyewonder.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.eyewonder.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.www.burstnet.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.burstnet.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.burstnet.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
va.px.invitemedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dmtracker.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediabrandsww.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
accounts.youtube.com [ C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

i'll get the gmer log next.

#13 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 06 July 2011 - 06:50 AM

Gmer log


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 04:45:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3250824AS rev.3.AHH
Running: b0udfr41.exe; Driver: C:\DOCUME~1\Justin\LOCALS~1\Temp\kwxdafod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E54210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E54224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E54250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E542A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E541FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E541D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E541E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E5423A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E5427C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E54266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E542D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E542BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E54290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E54294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9E542AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9E542C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9E54280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9E541D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9E541EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9E542D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9E5426A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9E5423E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9E54214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9E54228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9E54254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9E54200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB900C360, 0x20574D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01010FC3
.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01010FDE
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F48
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F6F
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FAC
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF005F
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F23
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0070
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0EE1
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF008B
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F9B
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF004E
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FD1
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0EF2
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0062
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01030F9E
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!system 77C293C7 5 Bytes JMP 01030FAF
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01030029
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01030FCA
.text C:\WINDOWS\system32\svchost.exe[172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0103000C
.text C:\WINDOWS\system32\svchost.exe[172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F85
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F96
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0070
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF005F
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0033
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F63
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F0B
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F1C
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0EF0
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0044
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F74
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FC7
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0022
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F37
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40F83
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30031
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9C
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC8
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FAD
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC002F
.text C:\WINDOWS\system32\svchost.exe[548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F54
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0049
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB007F
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB006E
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F01
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F1C
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00AB
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F79
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F43
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0090
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0FB6
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0042
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0027
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FE3
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0016
.text C:\WINDOWS\system32\svchost.exe[548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FD2
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1188] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\services.exe[1188] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740FCA
.text C:\WINDOWS\system32\services.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00730082
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00730071
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00730054
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00730039
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00730F97
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007300BA
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00730F72
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00730F2B
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00730F3C
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007300D5
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0073001E
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00730FD4
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0073009D
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00730FB2
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00730FC3
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00730F57
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60F94
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760044
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760033
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FE3
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760022
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\services.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\lsass.exe[1200] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[1200] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\system32\lsass.exe[1200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F63
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10F94
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10075
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F2D
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10EF7
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F08
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10EE6
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F3E
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10090
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F9007D
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90FB6
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F90058
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F9003D
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80FBC
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80051
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80FD7
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B300BF
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B300A4
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B30089
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B3006C
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30051
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30101
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B300DA
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B30F8D
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B30126
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B30F72
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B30FCA
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30011
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30FAF
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B30F9E
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0073
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0062
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6007A
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6005F
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60029
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60044
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60018
.text C:\WINDOWS\system32\svchost.exe[1384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40077
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40066
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40055
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40044
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40033
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F4C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40092
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F20
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F31
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400CA
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40FAC
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F71
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FC7
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40022
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A400AF
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F94
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90FA5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FC0
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70F89
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70014
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FB5
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FE3
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FA4
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FD2
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009A002C
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A001B
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F83
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990078
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990F94
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990051
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990036
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00990F61
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990F72
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00990F3F
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00990F50
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F24
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990FAF
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990000
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0099009D
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0099001B
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FD4
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009900C4
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0207002C
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02070051
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0207001B
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0207000A
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02070F8A
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02070FEF
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02070F9B
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 8A]
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02070FB6
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02060FAB
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!system 77C293C7 5 Bytes JMP 02060FBC
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02060FDE
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02060FEF
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02060FCD
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02060018
.text C:\WINDOWS\System32\svchost.exe[1556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02010000
.text C:\WINDOWS\System32\svchost.exe[1556] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[1556] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[1556] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\System32\svchost.exe[1556] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0FDE
.text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F6F
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D006E
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F94
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0FA5
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F37
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F54
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0F08
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D00AB
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00BC
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0051
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D007F
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0036
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D009A
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FC3
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90040
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FD4
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90F83
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F9002F
.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90FA8
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00F92
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FAD
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0001D
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FC8
.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0011
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D009D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0076
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0051
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F7C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0F50
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0F61
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0F3F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0011
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D00AE
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D002C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D00D5
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50F7C
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FDE
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50039
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00042
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FB7
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0001D
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FE3
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FC8
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[2040] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\System32\svchost.exe[2040] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\System32\svchost.exe[2040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F80014
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7007D
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F88
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70062
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70051
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F700B3
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F61
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F24
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F35
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70F13
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70036
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70098
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70025
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70014
.text C:\WINDOWS\System32\svchost.exe[2040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F50
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60047
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60FAC
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F6002C
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60069
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60058
.text C:\WINDOWS\System32\svchost.exe[2040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FDB
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F5006E
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50053
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50038
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FE3
.text C:\WINDOWS\System32\svchost.exe[2040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50011
.text C:\WINDOWS\System32\svchost.exe[2040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\dllhost.exe[2528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\dllhost.exe[2528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\dllhost.exe[2528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F83
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00FAF
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F0006C
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00051
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F4D
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F68
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F17
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F32
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00F06
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FC0
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00093
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\dllhost.exe[2528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000B0
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0F8D
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0F9E
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FB9
.text C:\WINDOWS\system32\dllhost.exe[2528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF004E
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0011
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF003D
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FA5
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\dllhost.exe[2528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0FB6
.text C:\WINDOWS\system32\dllhost.exe[2528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0000
.text C:\program files\real\realplayer\update\realsched.exe[3252] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Messenger\msmsgs.exe[3300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0203000A
.text C:\Program Files\Messenger\msmsgs.exe[3300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02030025
.text C:\Program Files\Messenger\msmsgs.exe[3300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02030FEF
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0069
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0058
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F7E
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0047
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FB9
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F2B
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F3C
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F09
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00A2
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EEE
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0036
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF000A
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F59
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0025
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F1A
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0F9C
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0031
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FD2
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FB7
.text C:\Program Files\Messenger\msmsgs.exe[3300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD000C
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE001B
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0069
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE004E
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0000
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE003D
.text C:\Program Files\Messenger\msmsgs.exe[3300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE002C
.text C:\Program Files\Messenger\msmsgs.exe[3300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC000A
.text C:\Program Files\Messenger\msmsgs.exe[3300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F80000
.text C:\Program Files\Messenger\msmsgs.exe[3300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F80011
.text C:\Program Files\Messenger\msmsgs.exe[3300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F80022
.text C:\Program Files\Messenger\msmsgs.exe[3300] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00F8003D
.text C:\WINDOWS\Explorer.EXE[3384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 018F0FE5
.text C:\WINDOWS\Explorer.EXE[3384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 018F0FB9
.text C:\WINDOWS\Explorer.EXE[3384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 018F0FD4
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018E0000
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 018E0098
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 018E0FA3
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 018E0FCA
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 018E0087
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 018E0051
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018E0F66
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 018E0F77
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018E0F29
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018E0F3A
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 018E00E7
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 018E006C
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 018E0011
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 018E0F88
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 018E002C
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 018E0FDB
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 018E0F4B
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 018D002F
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 018D0FB9
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 018D0FDE
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 018D000A
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 018D0080
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 018D0FEF
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 018D0065
.text C:\WINDOWS\Explorer.EXE[3384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 018D0040
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01760F75
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!system 77C293C7 5 Bytes JMP 0176000A
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01760FB5
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01760FEF
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01760FA4
.text C:\WINDOWS\Explorer.EXE[3384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01760FC6
.text C:\WINDOWS\Explorer.EXE[3384] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01740FEF
.text C:\WINDOWS\Explorer.EXE[3384] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01740000
.text C:\WINDOWS\Explorer.EXE[3384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01740011
.text C:\WINDOWS\Explorer.EXE[3384] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01740022
.text C:\WINDOWS\Explorer.EXE[3384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01750000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[1648] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[1648] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:11 AM

Posted 06 July 2011 - 01:10 PM

Try removing McAfee to see if the issue are persistent.

#15 j_curley0712

j_curley0712
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 06 July 2011 - 06:35 PM

what issues are you talking about




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users