Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated malware intrusions


  • Please log in to reply
5 replies to this topic

#1 faith766

faith766

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 30 December 2011 - 11:14 PM

Hello,

I recently was infected by Security Sphere (2012) and removed it using the guide posted here at bleeping computer.
However, that is not all, a few months ago, I was infected with another malware, Win 7 Total Security and with google redirects.

These repeated intrusions made me wonder if there is some sort of rootkit hidden in my computer. Because in both cases, the malware intrusion seemed to come out of nowhere.

On a side note:
I ran Rkill after I "removed" Security Sphere and it ended up ending a few processes such as Akamai Netsession... I am not sure how it would relate to an infection but I thought I should include it just in case.
Also, MBAM showed no infected objects AFTER Security Sphere had been removed had been removed, but showed 4 infected files before I removed the malware.

This is just a precautionary measure that I wished to take. If anyone wishes to address this issue, it would be greatly appreciated.

Faith ^_^

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:22 AM

Posted 30 December 2011 - 11:29 PM

Hello. lets take a looks at these results.


Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 faith766

faith766
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 30 December 2011 - 11:52 PM

Hello,

As it is near midnight here, I ran the TDSS Killer only, and will run the ESET scanner tomorrow. I will edit this post with its results.
Here is the log from TDSS Killer, it DID NOT prompt me to reboot. It found one suspicious threat.

23:48:58.0102 5016 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
23:48:58.0894 5016 ============================================================
23:48:58.0894 5016 Current date / time: 2011/12/30 23:48:58.0894
23:48:58.0894 5016 SystemInfo:
23:48:58.0894 5016
23:48:58.0894 5016 OS Version: 6.1.7600 ServicePack: 0.0
23:48:58.0895 5016 Product type: Workstation
23:48:58.0895 5016 ComputerName: MHVPATEL
23:48:58.0895 5016 UserName: Mihil
23:48:58.0895 5016 Windows directory: C:\windows
23:48:58.0895 5016 System windows directory: C:\windows
23:48:58.0895 5016 Processor architecture: Intel x86
23:48:58.0895 5016 Number of processors: 2
23:48:58.0895 5016 Page size: 0x1000
23:48:58.0895 5016 Boot type: Normal boot
23:48:58.0895 5016 ============================================================
23:48:59.0613 5016 Initialize success
23:49:01.0234 5656 ============================================================
23:49:01.0234 5656 Scan started
23:49:01.0234 5656 Mode: Manual;
23:49:01.0234 5656 ============================================================
23:49:01.0957 5656 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
23:49:01.0973 5656 1394ohci - ok
23:49:02.0152 5656 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
23:49:02.0155 5656 ACPI - ok
23:49:02.0288 5656 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
23:49:02.0290 5656 AcpiPmi - ok
23:49:02.0524 5656 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
23:49:02.0530 5656 adp94xx - ok
23:49:02.0759 5656 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
23:49:02.0776 5656 adpahci - ok
23:49:02.0970 5656 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
23:49:02.0973 5656 adpu320 - ok
23:49:03.0124 5656 afcdp (4fa0ca536dab995baf48bd41b4e2ed00) C:\windows\system32\DRIVERS\afcdp.sys
23:49:03.0129 5656 afcdp - ok
23:49:03.0362 5656 AFD (0db7a48388d54d154ebec120461a0fcd) C:\windows\system32\drivers\afd.sys
23:49:03.0370 5656 AFD - ok
23:49:03.0566 5656 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\windows\system32\DRIVERS\AGRSM.sys
23:49:03.0585 5656 AgereSoftModem - ok
23:49:03.0704 5656 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
23:49:03.0706 5656 agp440 - ok
23:49:03.0879 5656 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
23:49:03.0882 5656 aic78xx - ok
23:49:04.0030 5656 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
23:49:04.0032 5656 aliide - ok
23:49:04.0125 5656 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
23:49:04.0128 5656 amdagp - ok
23:49:04.0237 5656 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
23:49:04.0239 5656 amdide - ok
23:49:04.0339 5656 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
23:49:04.0343 5656 AmdK8 - ok
23:49:04.0451 5656 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
23:49:04.0454 5656 AmdPPM - ok
23:49:04.0588 5656 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\windows\system32\drivers\amdsata.sys
23:49:04.0591 5656 amdsata - ok
23:49:04.0756 5656 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
23:49:04.0773 5656 amdsbs - ok
23:49:04.0888 5656 amdxata (869e67d66be326a5a9159fba8746fa70) C:\windows\system32\drivers\amdxata.sys
23:49:04.0889 5656 amdxata - ok
23:49:04.0997 5656 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
23:49:05.0000 5656 AppID - ok
23:49:05.0140 5656 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
23:49:05.0143 5656 arc - ok
23:49:05.0271 5656 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
23:49:05.0274 5656 arcsas - ok
23:49:05.0471 5656 ASPI (e54e27976e2c5a6465d44c10b1d87ac0) C:\windows\System32\DRIVERS\ASPI32.sys
23:49:05.0475 5656 ASPI - ok
23:49:05.0593 5656 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
23:49:05.0600 5656 AsyncMac - ok
23:49:05.0774 5656 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
23:49:05.0788 5656 atapi - ok
23:49:05.0939 5656 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
23:49:05.0948 5656 b06bdrv - ok
23:49:06.0067 5656 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
23:49:06.0073 5656 b57nd60x - ok
23:49:06.0179 5656 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
23:49:06.0180 5656 Beep - ok
23:49:06.0294 5656 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
23:49:06.0296 5656 blbdrive - ok
23:49:06.0419 5656 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\windows\system32\DRIVERS\bowser.sys
23:49:06.0421 5656 bowser - ok
23:49:06.0518 5656 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
23:49:06.0520 5656 BrFiltLo - ok
23:49:06.0622 5656 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
23:49:06.0624 5656 BrFiltUp - ok
23:49:06.0824 5656 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\system32\Drivers\Brserid.sys
23:49:06.0830 5656 Brserid - ok
23:49:06.0928 5656 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
23:49:06.0931 5656 BrSerWdm - ok
23:49:07.0026 5656 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
23:49:07.0028 5656 BrUsbMdm - ok
23:49:07.0130 5656 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\system32\Drivers\BrUsbSer.sys
23:49:07.0133 5656 BrUsbSer - ok
23:49:07.0238 5656 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
23:49:07.0253 5656 BTHMODEM - ok
23:49:07.0452 5656 catchme - ok
23:49:07.0556 5656 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
23:49:07.0559 5656 cdfs - ok
23:49:07.0678 5656 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
23:49:07.0681 5656 cdrom - ok
23:49:07.0851 5656 cfwids (7e6f7da1c4de5680820f964562548949) C:\windows\system32\drivers\cfwids.sys
23:49:07.0854 5656 cfwids - ok
23:49:07.0962 5656 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
23:49:07.0965 5656 circlass - ok
23:49:08.0008 5656 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
23:49:08.0014 5656 CLFS - ok
23:49:08.0191 5656 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
23:49:08.0194 5656 CmBatt - ok
23:49:08.0319 5656 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
23:49:08.0322 5656 cmdide - ok
23:49:08.0421 5656 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
23:49:08.0429 5656 CNG - ok
23:49:08.0547 5656 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
23:49:08.0550 5656 Compbatt - ok
23:49:08.0664 5656 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
23:49:08.0666 5656 CompositeBus - ok
23:49:08.0806 5656 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
23:49:08.0809 5656 crcdisk - ok
23:49:09.0021 5656 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\windows\system32\Drivers\dfsc.sys
23:49:09.0025 5656 DfsC - ok
23:49:09.0123 5656 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
23:49:09.0126 5656 discache - ok
23:49:09.0288 5656 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
23:49:09.0290 5656 Disk - ok
23:49:09.0385 5656 DLPortIO - ok
23:49:09.0518 5656 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
23:49:09.0521 5656 drmkaud - ok
23:49:09.0667 5656 dtsoftbus01 (555e54ac2f601a8821cef58961653991) C:\windows\system32\DRIVERS\dtsoftbus01.sys
23:49:09.0670 5656 dtsoftbus01 - ok
23:49:09.0820 5656 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\windows\System32\drivers\dxgkrnl.sys
23:49:09.0833 5656 DXGKrnl - ok
23:49:10.0058 5656 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
23:49:10.0137 5656 ebdrv - ok
23:49:10.0290 5656 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
23:49:10.0298 5656 elxstor - ok
23:49:10.0423 5656 epmntdrv (539ca34fbc74ec366a0d751028c32a08) C:\windows\system32\epmntdrv.sys
23:49:10.0428 5656 epmntdrv - ok
23:49:10.0530 5656 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
23:49:10.0532 5656 ErrDev - ok
23:49:10.0701 5656 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\windows\system32\EuGdiDrv.sys
23:49:10.0703 5656 EuGdiDrv - ok
23:49:10.0812 5656 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
23:49:10.0816 5656 exfat - ok
23:49:10.0917 5656 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
23:49:10.0922 5656 fastfat - ok
23:49:11.0031 5656 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
23:49:11.0033 5656 fdc - ok
23:49:11.0146 5656 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
23:49:11.0148 5656 FileInfo - ok
23:49:11.0288 5656 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
23:49:11.0290 5656 Filetrace - ok
23:49:11.0398 5656 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
23:49:11.0399 5656 flpydisk - ok
23:49:11.0515 5656 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
23:49:11.0518 5656 FltMgr - ok
23:49:11.0625 5656 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
23:49:11.0627 5656 FsDepends - ok
23:49:11.0768 5656 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
23:49:11.0771 5656 Fs_Rec - ok
23:49:11.0956 5656 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\windows\system32\DRIVERS\fvevol.sys
23:49:11.0960 5656 fvevol - ok
23:49:12.0067 5656 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
23:49:12.0070 5656 gagp30kx - ok
23:49:12.0219 5656 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
23:49:12.0221 5656 GEARAspiWDM - ok
23:49:12.0456 5656 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
23:49:12.0458 5656 hcw85cir - ok
23:49:12.0628 5656 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
23:49:12.0640 5656 HdAudAddService - ok
23:49:12.0819 5656 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
23:49:12.0822 5656 HDAudBus - ok
23:49:12.0997 5656 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
23:49:13.0000 5656 HidBatt - ok
23:49:13.0112 5656 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
23:49:13.0115 5656 HidBth - ok
23:49:13.0243 5656 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
23:49:13.0246 5656 HidIr - ok
23:49:13.0377 5656 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
23:49:13.0379 5656 HidUsb - ok
23:49:13.0505 5656 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
23:49:13.0508 5656 HpSAMD - ok
23:49:13.0671 5656 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
23:49:13.0681 5656 HTTP - ok
23:49:13.0785 5656 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
23:49:13.0788 5656 hwpolicy - ok
23:49:13.0910 5656 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
23:49:13.0913 5656 i8042prt - ok
23:49:14.0020 5656 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
23:49:14.0025 5656 iaStor - ok
23:49:14.0152 5656 iaStorV (71f1a494fedf4b33c02c4a6a28d6d9e9) C:\windows\system32\drivers\iaStorV.sys
23:49:14.0159 5656 iaStorV - ok
23:49:14.0290 5656 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
23:49:14.0295 5656 iirsp - ok
23:49:14.0514 5656 IntcAzAudAddService (e4a2e810cb2607c9c159c0dfb0bd4c88) C:\windows\system32\drivers\RTKVHDA.sys
23:49:14.0595 5656 IntcAzAudAddService - ok
23:49:14.0750 5656 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
23:49:14.0753 5656 intelide - ok
23:49:14.0877 5656 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
23:49:14.0879 5656 intelppm - ok
23:49:15.0000 5656 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
23:49:15.0003 5656 IpFilterDriver - ok
23:49:15.0118 5656 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
23:49:15.0121 5656 IPMIDRV - ok
23:49:15.0229 5656 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
23:49:15.0232 5656 IPNAT - ok
23:49:15.0401 5656 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
23:49:15.0404 5656 IRENUM - ok
23:49:15.0446 5656 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
23:49:15.0447 5656 isapnp - ok
23:49:15.0572 5656 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
23:49:15.0577 5656 iScsiPrt - ok
23:49:15.0729 5656 ivusb (b43cf31abacb13869662a076ce6252ad) C:\windows\system32\DRIVERS\ivusb.sys
23:49:15.0731 5656 ivusb - ok
23:49:15.0921 5656 JMCR (65da9fa42c0972fe5b9b7d6047f06f4c) C:\windows\system32\DRIVERS\jmcr.sys
23:49:15.0923 5656 JMCR - ok
23:49:16.0032 5656 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
23:49:16.0034 5656 kbdclass - ok
23:49:16.0145 5656 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
23:49:16.0147 5656 kbdhid - ok
23:49:16.0257 5656 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
23:49:16.0260 5656 KSecDD - ok
23:49:16.0382 5656 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
23:49:16.0386 5656 KSecPkg - ok
23:49:16.0521 5656 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
23:49:16.0524 5656 lltdio - ok
23:49:16.0704 5656 LPCFilter (6e3d3816749e107883eec5734ce44493) C:\windows\system32\DRIVERS\LPCFilter.sys
23:49:16.0706 5656 LPCFilter - ok
23:49:16.0825 5656 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
23:49:16.0831 5656 LSI_FC - ok
23:49:16.0947 5656 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
23:49:16.0950 5656 LSI_SAS - ok
23:49:17.0068 5656 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
23:49:17.0071 5656 LSI_SAS2 - ok
23:49:17.0180 5656 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
23:49:17.0182 5656 LSI_SCSI - ok
23:49:17.0317 5656 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
23:49:17.0320 5656 luafv - ok
23:49:17.0340 5656 Suspicious service (Hidden): MBAMSwissArmy
23:49:17.0447 5656 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\windows\system32\drivers\mbamswissarmy.sys
23:49:17.0447 5656 Suspicious file (NoAccess): C:\windows\system32\drivers\mbamswissarmy.sys. md5: 0db7527db188c7d967a37bb51bbf3963
23:49:17.0448 5656 Suspicious file (Hidden): C:\windows\system32\drivers\mbamswissarmy.sys. md5: 0db7527db188c7d967a37bb51bbf3963
23:49:17.0449 5656 MBAMSwissArmy ( HiddenService.Multi.Generic ) - warning
23:49:17.0449 5656 MBAMSwissArmy - detected HiddenService.Multi.Generic (1)
23:49:17.0676 5656 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
23:49:17.0679 5656 megasas - ok
23:49:17.0798 5656 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
23:49:17.0804 5656 MegaSR - ok
23:49:17.0934 5656 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\windows\system32\drivers\mfeapfk.sys
23:49:17.0936 5656 mfeapfk - ok
23:49:18.0070 5656 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\windows\system32\drivers\mfeavfk.sys
23:49:18.0075 5656 mfeavfk - ok
23:49:18.0198 5656 mfeavfk01 - ok
23:49:18.0259 5656 mfebopk (19161b1796cf74a6a326abde309062ba) C:\windows\system32\drivers\mfebopk.sys
23:49:18.0261 5656 mfebopk - ok
23:49:18.0436 5656 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\windows\system32\drivers\mfefirek.sys
23:49:18.0443 5656 mfefirek - ok
23:49:18.0639 5656 mfehidk (0efab2b91b27543fe589de700de07136) C:\windows\system32\drivers\mfehidk.sys
23:49:18.0646 5656 mfehidk - ok
23:49:18.0830 5656 mfenlfk (b4022e16569bbd1a85e68e7e78e68880) C:\windows\system32\DRIVERS\mfenlfk.sys
23:49:18.0833 5656 mfenlfk - ok
23:49:18.0961 5656 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\windows\system32\drivers\mferkdet.sys
23:49:18.0965 5656 mferkdet - ok
23:49:19.0094 5656 mfewfpk (183f32c79d1693170df3baecec611125) C:\windows\system32\drivers\mfewfpk.sys
23:49:19.0101 5656 mfewfpk - ok
23:49:19.0241 5656 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
23:49:19.0243 5656 Modem - ok
23:49:19.0377 5656 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
23:49:19.0379 5656 monitor - ok
23:49:19.0505 5656 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
23:49:19.0506 5656 mouclass - ok
23:49:19.0665 5656 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
23:49:19.0668 5656 mouhid - ok
23:49:19.0772 5656 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
23:49:19.0775 5656 mountmgr - ok
23:49:19.0919 5656 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
23:49:19.0922 5656 mpio - ok
23:49:20.0028 5656 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
23:49:20.0031 5656 mpsdrv - ok
23:49:20.0145 5656 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
23:49:20.0149 5656 MRxDAV - ok
23:49:20.0282 5656 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\windows\system32\DRIVERS\mrxsmb.sys
23:49:20.0285 5656 mrxsmb - ok
23:49:20.0412 5656 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\windows\system32\DRIVERS\mrxsmb10.sys
23:49:20.0417 5656 mrxsmb10 - ok
23:49:20.0546 5656 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\windows\system32\DRIVERS\mrxsmb20.sys
23:49:20.0550 5656 mrxsmb20 - ok
23:49:20.0666 5656 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
23:49:20.0668 5656 msahci - ok
23:49:20.0779 5656 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
23:49:20.0783 5656 msdsm - ok
23:49:20.0986 5656 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
23:49:20.0988 5656 Msfs - ok
23:49:21.0091 5656 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
23:49:21.0093 5656 mshidkmdf - ok
23:49:21.0196 5656 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
23:49:21.0198 5656 msisadrv - ok
23:49:21.0352 5656 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
23:49:21.0355 5656 MSKSSRV - ok
23:49:21.0465 5656 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
23:49:21.0468 5656 MSPCLOCK - ok
23:49:21.0590 5656 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
23:49:21.0597 5656 MSPQM - ok
23:49:21.0753 5656 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
23:49:21.0757 5656 MsRPC - ok
23:49:21.0866 5656 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys
23:49:21.0868 5656 mssmbios - ok
23:49:21.0987 5656 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
23:49:21.0990 5656 MSTEE - ok
23:49:22.0096 5656 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
23:49:22.0098 5656 MTConfig - ok
23:49:22.0199 5656 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
23:49:22.0202 5656 Mup - ok
23:49:22.0325 5656 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
23:49:22.0332 5656 NativeWifiP - ok
23:49:22.0458 5656 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
23:49:22.0466 5656 NDIS - ok
23:49:22.0589 5656 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
23:49:22.0592 5656 NdisCap - ok
23:49:22.0723 5656 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
23:49:22.0726 5656 NdisTapi - ok
23:49:22.0857 5656 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
23:49:22.0860 5656 Ndisuio - ok
23:49:22.0986 5656 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
23:49:22.0990 5656 NdisWan - ok
23:49:23.0035 5656 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
23:49:23.0037 5656 NDProxy - ok
23:49:23.0161 5656 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
23:49:23.0164 5656 NetBIOS - ok
23:49:23.0268 5656 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
23:49:23.0273 5656 NetBT - ok
23:49:23.0462 5656 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
23:49:23.0465 5656 nfrd960 - ok
23:49:23.0589 5656 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
23:49:23.0612 5656 Npfs - ok
23:49:23.0710 5656 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
23:49:23.0713 5656 nsiproxy - ok
23:49:23.0920 5656 Ntfs (187002ce05693c306f43c873f821381f) C:\windows\system32\drivers\Ntfs.sys
23:49:23.0934 5656 Ntfs - ok
23:49:24.0091 5656 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
23:49:24.0093 5656 Null - ok
23:49:24.0214 5656 NVHDA (a82534d453425f5fee4b6a583fdcf3eb) C:\windows\system32\drivers\nvhda32v.sys
23:49:24.0217 5656 NVHDA - ok
23:49:24.0547 5656 nvlddmkm (f484e314c710b9c297f9ab363ff74370) C:\windows\system32\DRIVERS\nvlddmkm.sys
23:49:24.0745 5656 nvlddmkm - ok
23:49:24.0889 5656 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\windows\system32\drivers\nvraid.sys
23:49:24.0893 5656 nvraid - ok
23:49:25.0035 5656 nvstor (4520b63899e867f354ee012d34e11536) C:\windows\system32\drivers\nvstor.sys
23:49:25.0040 5656 nvstor - ok
23:49:25.0165 5656 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
23:49:25.0168 5656 nv_agp - ok
23:49:25.0297 5656 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
23:49:25.0300 5656 ohci1394 - ok
23:49:25.0448 5656 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
23:49:25.0451 5656 Parport - ok
23:49:25.0555 5656 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
23:49:25.0558 5656 partmgr - ok
23:49:25.0668 5656 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
23:49:25.0670 5656 Parvdm - ok
23:49:25.0813 5656 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
23:49:25.0818 5656 pci - ok
23:49:25.0923 5656 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
23:49:25.0925 5656 pciide - ok
23:49:26.0039 5656 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
23:49:26.0045 5656 pcmcia - ok
23:49:26.0146 5656 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
23:49:26.0149 5656 pcw - ok
23:49:26.0271 5656 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
23:49:26.0279 5656 PEAUTH - ok
23:49:26.0400 5656 PGEffect (1b5011dd8d57f53aed31ff0f7d635802) C:\windows\system32\DRIVERS\pgeffect.sys
23:49:26.0402 5656 PGEffect - ok
23:49:26.0556 5656 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
23:49:26.0559 5656 PptpMiniport - ok
23:49:26.0664 5656 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
23:49:26.0667 5656 Processor - ok
23:49:26.0830 5656 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
23:49:26.0833 5656 Psched - ok
23:49:26.0967 5656 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\windows\system32\DRIVERS\psi_mf.sys
23:49:26.0969 5656 PSI - ok
23:49:27.0118 5656 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
23:49:27.0140 5656 ql2300 - ok
23:49:27.0277 5656 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
23:49:27.0281 5656 ql40xx - ok
23:49:27.0419 5656 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
23:49:27.0422 5656 QWAVEdrv - ok
23:49:27.0528 5656 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
23:49:27.0531 5656 RasAcd - ok
23:49:27.0664 5656 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
23:49:27.0666 5656 RasAgileVpn - ok
23:49:27.0812 5656 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
23:49:27.0815 5656 Rasl2tp - ok
23:49:27.0964 5656 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
23:49:27.0968 5656 RasPppoe - ok
23:49:28.0095 5656 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
23:49:28.0098 5656 RasSstp - ok
23:49:28.0216 5656 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
23:49:28.0221 5656 rdbss - ok
23:49:28.0325 5656 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
23:49:28.0330 5656 rdpbus - ok
23:49:28.0445 5656 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
23:49:28.0448 5656 RDPCDD - ok
23:49:28.0593 5656 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
23:49:28.0598 5656 RDPENCDD - ok
23:49:28.0781 5656 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
23:49:28.0783 5656 RDPREFMP - ok
23:49:28.0893 5656 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
23:49:28.0898 5656 RDPWD - ok
23:49:29.0030 5656 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
23:49:29.0035 5656 rdyboost - ok
23:49:29.0185 5656 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
23:49:29.0187 5656 rspndr - ok
23:49:29.0304 5656 RTL8167 (26a9d6227d12b9d9da5a81bb9b55d810) C:\windows\system32\DRIVERS\Rt86win7.sys
23:49:29.0309 5656 RTL8167 - ok
23:49:29.0456 5656 rtl8192se (fd0b1d3ce2e7debd0ae8456494d21488) C:\windows\system32\DRIVERS\rtl8192se.sys
23:49:29.0470 5656 rtl8192se - ok
23:49:29.0587 5656 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
23:49:29.0595 5656 sbp2port - ok
23:49:29.0754 5656 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
23:49:29.0757 5656 scfilter - ok
23:49:29.0877 5656 sdbus (7b48cff3a475fe849dea65ec4d35c425) C:\windows\system32\DRIVERS\sdbus.sys
23:49:29.0880 5656 sdbus - ok
23:49:30.0006 5656 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
23:49:30.0008 5656 secdrv - ok
23:49:30.0148 5656 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
23:49:30.0151 5656 Serenum - ok
23:49:30.0267 5656 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
23:49:30.0270 5656 Serial - ok
23:49:30.0378 5656 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
23:49:30.0380 5656 sermouse - ok
23:49:30.0535 5656 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys
23:49:30.0538 5656 sffdisk - ok
23:49:30.0646 5656 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys
23:49:30.0649 5656 sffp_mmc - ok
23:49:30.0812 5656 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys
23:49:30.0815 5656 sffp_sd - ok
23:49:30.0922 5656 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
23:49:30.0925 5656 sfloppy - ok
23:49:31.0057 5656 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
23:49:31.0059 5656 sisagp - ok
23:49:31.0184 5656 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
23:49:31.0187 5656 SiSRaid2 - ok
23:49:31.0291 5656 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
23:49:31.0295 5656 SiSRaid4 - ok
23:49:31.0411 5656 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
23:49:31.0414 5656 Smb - ok
23:49:31.0607 5656 snapman (4f7ed0c2f594f1b8e9cafab21eb86126) C:\windows\system32\DRIVERS\snapman.sys
23:49:31.0611 5656 snapman - ok
23:49:31.0780 5656 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
23:49:31.0782 5656 spldr - ok
23:49:31.0933 5656 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\windows\system32\DRIVERS\srv.sys
23:49:31.0940 5656 srv - ok
23:49:32.0067 5656 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\windows\system32\DRIVERS\srv2.sys
23:49:32.0073 5656 srv2 - ok
23:49:32.0204 5656 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\windows\system32\DRIVERS\srvnet.sys
23:49:32.0208 5656 srvnet - ok
23:49:32.0350 5656 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
23:49:32.0352 5656 stexstor - ok
23:49:32.0470 5656 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
23:49:32.0472 5656 swenum - ok
23:49:32.0682 5656 SynTP (3f4982de07d89a1084861e9d59f7ebb1) C:\windows\system32\DRIVERS\SynTP.sys
23:49:32.0686 5656 SynTP - ok
23:49:32.0898 5656 Tcpip (56c198ac82efa622dd93e9e43575f79c) C:\windows\system32\drivers\tcpip.sys
23:49:32.0919 5656 Tcpip - ok
23:49:33.0100 5656 TCPIP6 (56c198ac82efa622dd93e9e43575f79c) C:\windows\system32\DRIVERS\tcpip.sys
23:49:33.0112 5656 TCPIP6 - ok
23:49:33.0258 5656 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
23:49:33.0260 5656 tcpipreg - ok
23:49:33.0420 5656 tdcmdpst (4084ea00d50c858d6f9038f86ae2e2d0) C:\windows\system32\DRIVERS\tdcmdpst.sys
23:49:33.0423 5656 tdcmdpst - ok
23:49:33.0524 5656 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
23:49:33.0527 5656 TDPIPE - ok
23:49:33.0735 5656 tdrpman258 (8de3e45000ba8c9ebb16737d3f83e216) C:\windows\system32\DRIVERS\tdrpm258.sys
23:49:33.0747 5656 tdrpman258 - ok
23:49:33.0847 5656 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
23:49:33.0851 5656 TDTCP - ok
23:49:33.0966 5656 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
23:49:33.0969 5656 tdx - ok
23:49:34.0080 5656 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
23:49:34.0083 5656 TermDD - ok
23:49:34.0229 5656 Thpdrv (9528f2a39cb660a49f0592d57127f370) C:\windows\system32\DRIVERS\thpdrv.sys
23:49:34.0232 5656 Thpdrv - ok
23:49:34.0348 5656 Thpevm (e17dcde74ff00ca802643b4a9a4a4a5c) C:\windows\system32\DRIVERS\Thpevm.SYS
23:49:34.0351 5656 Thpevm - ok
23:49:34.0524 5656 timounter (3e06987fedbcdfbff8e85ef8108565f9) C:\windows\system32\DRIVERS\timntr.sys
23:49:34.0532 5656 timounter - ok
23:49:34.0749 5656 tos_sps32 (969377943fe7284609babbab4e06b93c) C:\windows\system32\DRIVERS\tos_sps32.sys
23:49:34.0755 5656 tos_sps32 - ok
23:49:34.0898 5656 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
23:49:34.0900 5656 tssecsrv - ok
23:49:35.0018 5656 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
23:49:35.0022 5656 tunnel - ok
23:49:35.0150 5656 TVALZ (fc24015b4052600c324c43e3a79c0664) C:\windows\system32\DRIVERS\TVALZ_O.SYS
23:49:35.0153 5656 TVALZ - ok
23:49:35.0255 5656 TVALZFL (866462f5ae3f375ef83ef9dce436031c) C:\windows\system32\DRIVERS\TVALZFL.sys
23:49:35.0257 5656 TVALZFL - ok
23:49:35.0369 5656 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
23:49:35.0372 5656 uagp35 - ok
23:49:35.0491 5656 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys
23:49:35.0496 5656 udfs - ok
23:49:35.0693 5656 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
23:49:35.0696 5656 uliagpkx - ok
23:49:35.0840 5656 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
23:49:35.0843 5656 umbus - ok
23:49:35.0945 5656 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
23:49:35.0947 5656 UmPass - ok
23:49:36.0105 5656 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\windows\system32\Drivers\usbaapl.sys
23:49:36.0108 5656 USBAAPL - ok
23:49:36.0254 5656 usbccgp (c31ae588e403042632dc796cf09e30b0) C:\windows\system32\DRIVERS\usbccgp.sys
23:49:36.0257 5656 usbccgp - ok
23:49:36.0380 5656 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
23:49:36.0383 5656 usbcir - ok
23:49:36.0510 5656 usbehci (e4c436d914768ce965d5e659ba7eebd8) C:\windows\system32\DRIVERS\usbehci.sys
23:49:36.0513 5656 usbehci - ok
23:49:36.0655 5656 usbhub (bdcd7156ec37448f08633fd899823620) C:\windows\system32\DRIVERS\usbhub.sys
23:49:36.0662 5656 usbhub - ok
23:49:36.0822 5656 usbohci (eb2d819a639015253c871cda09d91d58) C:\windows\system32\drivers\usbohci.sys
23:49:36.0825 5656 usbohci - ok
23:49:36.0937 5656 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
23:49:36.0939 5656 usbprint - ok
23:49:37.0064 5656 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
23:49:37.0067 5656 usbscan - ok
23:49:37.0196 5656 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\windows\system32\DRIVERS\USBSTOR.SYS
23:49:37.0200 5656 USBSTOR - ok
23:49:37.0318 5656 usbuhci (22480bf4e5a09192e5e30ba4dde79fa4) C:\windows\system32\DRIVERS\usbuhci.sys
23:49:37.0321 5656 usbuhci - ok
23:49:37.0449 5656 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\windows\System32\Drivers\usbvideo.sys
23:49:37.0454 5656 usbvideo - ok
23:49:37.0598 5656 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
23:49:37.0601 5656 vdrvroot - ok
23:49:37.0775 5656 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
23:49:37.0778 5656 vga - ok
23:49:37.0894 5656 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
23:49:37.0897 5656 VgaSave - ok
23:49:38.0012 5656 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
23:49:38.0017 5656 vhdmp - ok
23:49:38.0165 5656 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
23:49:38.0168 5656 viaagp - ok
23:49:38.0276 5656 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
23:49:38.0281 5656 ViaC7 - ok
23:49:38.0393 5656 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
23:49:38.0396 5656 viaide - ok
23:49:38.0501 5656 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
23:49:38.0504 5656 volmgr - ok
23:49:38.0544 5656 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
23:49:38.0551 5656 volmgrx - ok
23:49:38.0741 5656 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys
23:49:38.0746 5656 volsnap - ok
23:49:38.0870 5656 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
23:49:38.0874 5656 vsmraid - ok
23:49:38.0994 5656 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
23:49:38.0999 5656 vwifibus - ok
23:49:39.0127 5656 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
23:49:39.0130 5656 vwififlt - ok
23:49:39.0276 5656 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
23:49:39.0281 5656 vwifimp - ok
23:49:39.0402 5656 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
23:49:39.0405 5656 WacomPen - ok
23:49:39.0524 5656 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
23:49:39.0527 5656 WANARP - ok
23:49:39.0537 5656 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
23:49:39.0540 5656 Wanarpv6 - ok
23:49:39.0682 5656 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
23:49:39.0685 5656 Wd - ok
23:49:39.0806 5656 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\windows\system32\DRIVERS\wdcsam.sys
23:49:39.0809 5656 WDC_SAM - ok
23:49:39.0981 5656 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
23:49:39.0990 5656 Wdf01000 - ok
23:49:40.0142 5656 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
23:49:40.0145 5656 WfpLwf - ok
23:49:40.0260 5656 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
23:49:40.0264 5656 WIMMount - ok
23:49:40.0454 5656 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\windows\system32\DRIVERS\WinUsb.sys
23:49:40.0457 5656 WinUsb - ok
23:49:40.0581 5656 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
23:49:40.0584 5656 WmiAcpi - ok
23:49:40.0785 5656 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
23:49:40.0787 5656 ws2ifsl - ok
23:49:40.0928 5656 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
23:49:40.0932 5656 WudfPf - ok
23:49:41.0064 5656 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
23:49:41.0068 5656 WUDFRd - ok
23:49:41.0144 5656 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0
23:49:41.0219 5656 \Device\Harddisk0\DR0 - ok
23:49:41.0251 5656 Boot (0x1200) (7d5bc0e35c3a4d60ad092b8e8376463e) \Device\Harddisk0\DR0\Partition0
23:49:41.0252 5656 \Device\Harddisk0\DR0\Partition0 - ok
23:49:41.0253 5656 ============================================================
23:49:41.0253 5656 Scan finished
23:49:41.0253 5656 ============================================================
23:49:41.0272 1560 Detected object count: 1
23:49:41.0272 1560 Actual detected object count: 1
23:49:53.0825 1560 MBAMSwissArmy ( HiddenService.Multi.Generic ) - skipped by user
23:49:53.0825 1560 MBAMSwissArmy ( HiddenService.Multi.Generic ) - User select action: Skip

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:22 AM

Posted 31 December 2011 - 07:37 PM

OK, that was good. Let me know about ESET amd since the is a holiday I will post this to run as we may miss each other.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 faith766

faith766
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 02 January 2012 - 11:52 PM

Sorry for the huge delay. I was busy with the New Year celebrations. Anyways, after many long hours of scanning, I`ve got the logs for the ESET scan and the GMER scan.

Here they are:


ESET Online Scan


C:\Users\Mihil\Downloads\SoftonicDownloader_for_adobe-photoshop.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined


GMER Log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-02 23:44:01
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG02
Running: 0tm47gfi.exe; Driver: C:\Users\Mihil\AppData\Local\Temp\kwliypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8479F0B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8479F0E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8479F0CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8479F0A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 83847128 5 Bytes JMP 8479F0A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8385F5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83884092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwTerminateProcess 83A7E0AD 5 Bytes JMP 8479F0E6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 83A9824B 5 Bytes JMP 8479F0D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 83A9B446 7 Bytes JMP 8479F0BC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8455E000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x845A3000, 0x3DC, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\System32\svchost.exe[496] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 003D0000
.text C:\windows\System32\svchost.exe[496] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 003D0FCA
.text C:\windows\System32\svchost.exe[496] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 003D0FE5
.text C:\windows\System32\svchost.exe[496] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001E0F5A
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001E00AF
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001E0094
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001E0FBC
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001E0F6B
.text C:\windows\System32\svchost.exe[496] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001E005E
.text C:\windows\System32\svchost.exe[496] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001E0F86
.text C:\windows\System32\svchost.exe[496] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001E0F97
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001E0FDE
.text C:\windows\System32\svchost.exe[496] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001E00CA
.text C:\windows\System32\svchost.exe[496] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001E0028
.text C:\windows\System32\svchost.exe[496] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001E0039
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001E0FEF
.text C:\windows\System32\svchost.exe[496] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001E0F35
.text C:\windows\System32\svchost.exe[496] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001E0FCD
.text C:\windows\System32\svchost.exe[496] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001E0F24
.text C:\windows\System32\svchost.exe[496] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001E0083
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00430000
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 0043004C
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!system 7762B16F 5 Bytes JMP 00430FC1
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00430FE3
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00430FD2
.text C:\windows\System32\svchost.exe[496] msvcrt.dll!_wopen 77630570 5 Bytes JMP 0043001D
.text C:\windows\System32\svchost.exe[496] WS2_32.dll!socket 77013F00 5 Bytes JMP 003E0FEF
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 001F0FEF
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 001F0040
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 001F0FB9
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 001F0051
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 001F000A
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 001F0FA8
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 001F002F
.text C:\windows\System32\svchost.exe[496] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 001F0FD4
.text C:\windows\System32\svchost.exe[496] WININET.dll!InternetOpenA 759A4E3C 5 Bytes JMP 00190FE5
.text C:\windows\System32\svchost.exe[496] WININET.dll!InternetOpenUrlA 759ABFDE 5 Bytes JMP 0019001B
.text C:\windows\System32\svchost.exe[496] WININET.dll!InternetOpenW 759DC126 5 Bytes JMP 0019000A
.text C:\windows\System32\svchost.exe[496] WININET.dll!InternetOpenUrlW 75A0D8D2 5 Bytes JMP 00190FCA
.text C:\windows\system32\services.exe[928] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 0031000A
.text C:\windows\system32\services.exe[928] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00310FD4
.text C:\windows\system32\services.exe[928] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00310FE5
.text C:\windows\system32\services.exe[928] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00100F79
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00100F5E
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001000E9
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00100FC0
.text C:\windows\system32\services.exe[928] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001000A2
.text C:\windows\system32\services.exe[928] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00100062
.text C:\windows\system32\services.exe[928] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00100051
.text C:\windows\system32\services.exe[928] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00100036
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00100000
.text C:\windows\system32\services.exe[928] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00100F43
.text C:\windows\system32\services.exe[928] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00100FAF
.text C:\windows\system32\services.exe[928] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00100F94
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00100FE5
.text C:\windows\system32\services.exe[928] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001000C7
.text C:\windows\system32\services.exe[928] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00100011
.text C:\windows\system32\services.exe[928] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001000D8
.text C:\windows\system32\services.exe[928] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00100087
.text C:\windows\system32\services.exe[928] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00380FEF
.text C:\windows\system32\services.exe[928] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00380FC3
.text C:\windows\system32\services.exe[928] msvcrt.dll!system 7762B16F 5 Bytes JMP 0038004E
.text C:\windows\system32\services.exe[928] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00380018
.text C:\windows\system32\services.exe[928] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00380033
.text C:\windows\system32\services.exe[928] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00380FDE
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 0033000A
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00330040
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00330062
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00330051
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00330025
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00330FA5
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00330FEF
.text C:\windows\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00330FD4
.text C:\windows\system32\services.exe[928] WS2_32.dll!socket 77013F00 5 Bytes JMP 00320000
.text C:\windows\system32\lsass.exe[956] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 000D000A
.text C:\windows\system32\lsass.exe[956] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 000D001B
.text C:\windows\system32\lsass.exe[956] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 000D0FE5
.text C:\windows\system32\lsass.exe[956] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 000C0087
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 000C00E9
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 000C00CE
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 000C0014
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 000C0076
.text C:\windows\system32\lsass.exe[956] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 000C0F68
.text C:\windows\system32\lsass.exe[956] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 000C0040
.text C:\windows\system32\lsass.exe[956] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 000C0F8D
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 000C0FDE
.text C:\windows\system32\lsass.exe[956] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 000C0104
.text C:\windows\system32\lsass.exe[956] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 000C0FA8
.text C:\windows\system32\lsass.exe[956] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 000C002F
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 000C0FEF
.text C:\windows\system32\lsass.exe[956] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 000C00A2
.text C:\windows\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 000C0FC3
.text C:\windows\system32\lsass.exe[956] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 000C00BD
.text C:\windows\system32\lsass.exe[956] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 000C005B
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00630FE3
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00630F90
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!system 7762B16F 5 Bytes JMP 0063001B
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00630FC6
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00630FAB
.text C:\windows\system32\lsass.exe[956] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00630000
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 000F0FEF
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 000F002C
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 000F0F9B
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 000F003D
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 000F0000
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 000F0F80
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 000F0FCA
.text C:\windows\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 000F0011
.text C:\windows\system32\lsass.exe[956] WS2_32.dll!socket 77013F00 5 Bytes JMP 000E0000
.text C:\windows\system32\svchost.exe[1068] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 001B0000
.text C:\windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 001B002C
.text C:\windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 001B001B
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001A0F3C
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001A00A5
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001A0094
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001A0FC3
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001A0F57
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001A0F72
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001A0F8D
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001A0040
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001A0000
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001A00B6
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001A002F
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001A0FA8
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001A0FE5
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001A0F2B
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001A0FD4
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001A0F1A
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001A0065
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!_open 775F7E48 5 Bytes JMP 003A0000
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 003A0064
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!system 7762B16F 5 Bytes JMP 003A0053
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 003A0FE3
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 003A0038
.text C:\windows\system32\svchost.exe[1068] msvcrt.dll!_wopen 77630570 5 Bytes JMP 003A001D
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00290FE5
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00290FA8
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00290039
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00290F97
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00290FCA
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00290F7C
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 0029000A
.text C:\windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00290FB9
.text C:\windows\system32\svchost.exe[1068] WS2_32.dll!socket 77013F00 5 Bytes JMP 00280FEF
.text C:\windows\system32\svchost.exe[1156] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00200FEF
.text C:\windows\system32\svchost.exe[1156] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 0020000A
.text C:\windows\system32\svchost.exe[1156] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00200FD4
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001A0F76
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001A00DF
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001A0F40
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001A0047
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001A0F87
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001A008E
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001A0073
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001A0FC0
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001A001B
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001A0F2F
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001A0FD1
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001A0062
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001A000A
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001A00BA
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001A0036
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001A0F5B
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001A009F
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00390FEF
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00390F9A
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!system 7762B16F 5 Bytes JMP 00390FAB
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00390000
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 0039001B
.text C:\windows\system32\svchost.exe[1156] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00390FC6
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00280000
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00280FD4
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00280F9E
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00280FB9
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 0028001B
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00280F8D
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00280FE5
.text C:\windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00280040
.text C:\windows\system32\svchost.exe[1156] WS2_32.dll!socket 77013F00 5 Bytes JMP 00270FE5
.text C:\windows\System32\svchost.exe[1212] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00E40000
.text C:\windows\System32\svchost.exe[1212] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00E4002F
.text C:\windows\System32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00E40FEF
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00A6006C
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00A60F03
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 00A60098
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00A60011
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00A60F43
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00A60F6F
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00A60F8A
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00A60047
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00A60FCA
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00A60EE8
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00A60FA5
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00A6002C
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00A60FEF
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00A60F1E
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00A60000
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 00A6007D
.text C:\windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00A60F5E
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00EF0FE3
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00EF0FAD
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!system 7762B16F 5 Bytes JMP 00EF0038
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00EF000C
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_wcreat 7763038E 3 Bytes JMP 00EF0027
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_wcreat + 4 77630392 1 Byte [89]
.text C:\windows\System32\svchost.exe[1212] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00EF0FD2
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00EE000A
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00EE0039
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00EE0FA1
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00EE0FB2
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00EE0FEF
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00EE005E
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00EE0FDE
.text C:\windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00EE0FCD
.text C:\windows\System32\svchost.exe[1212] WS2_32.dll!socket 77013F00 5 Bytes JMP 00ED0FE5
.text C:\windows\System32\svchost.exe[1264] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 009F0FEF
.text C:\windows\System32\svchost.exe[1264] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 009F0FD4
.text C:\windows\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 009F000A
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 009200D8
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 009200F3
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 00920F68
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00920051
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 009200C7
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 0092009B
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00920FB9
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00920080
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00920025
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00920F39
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00920FE5
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00920FD4
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 0092000A
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00920F9E
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00920040
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 00920F83
.text C:\windows\System32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 009200AC
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00D30000
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00D3004A
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!system 7762B16F 5 Bytes JMP 00D30FB5
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00D30011
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00D30FC6
.text C:\windows\System32\svchost.exe[1264] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00D30FD7
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00A10000
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00A10FAF
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00A10036
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00A10F9E
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00A1001B
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00A10051
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00A10FE5
.text C:\windows\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00A10FD4
.text C:\windows\System32\svchost.exe[1264] WS2_32.dll!socket 77013F00 5 Bytes JMP 00A00FEF
.text C:\windows\system32\svchost.exe[1292] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00D60000
.text C:\windows\system32\svchost.exe[1292] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00D60FD4
.text C:\windows\system32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00D60FEF
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00D50F97
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00D50F46
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 00D50F61
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00D50040
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00D50FA8
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00D50FC3
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00D5009B
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00D50FDE
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00D5000A
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00D500F6
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00D50065
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00D50076
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00D50FEF
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00D500DB
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00D50025
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 00D50F72
.text C:\windows\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00D500B6
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00E40FEF
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00E40045
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!system 7762B16F 5 Bytes JMP 00E40FB0
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00E4000C
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00E40FC1
.text C:\windows\system32\svchost.exe[1292] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00E40FD2
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00D80FE5
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00D8000A
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00D8001B
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00D80F83
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00D80FD4
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00D8002C
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00D80FB9
.text C:\windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00D80FA8
.text C:\windows\system32\svchost.exe[1292] WS2_32.dll!socket 77013F00 5 Bytes JMP 00D70FE5
.text C:\windows\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 0095000A
.text C:\windows\system32\svchost.exe[1400] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00950025
.text C:\windows\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00950FEF
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00550F54
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00550F1E
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 005500B3
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00550FCA
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 0055007D
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00550F79
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00550051
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00550040
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00550FE5
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00550F0D
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00550FB9
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00550F9E
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00550000
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00550F43
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 0055001B
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 005500A2
.text C:\windows\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 0055006C
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00A4000C
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00A40033
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!system 7762B16F 5 Bytes JMP 00A40FB2
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00A40FDE
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00A40FC3
.text C:\windows\system32\svchost.exe[1400] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00A40FEF
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00970000
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00970FC0
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00970F94
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00970FA5
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 0097001B
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00970F83
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00970FE5
.text C:\windows\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 0097002C
.text C:\windows\system32\svchost.exe[1400] WS2_32.dll!socket 77013F00 5 Bytes JMP 00960FE5
.text C:\windows\system32\svchost.exe[1496] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 008F0FE5
.text C:\windows\system32\svchost.exe[1496] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 008F0FAF
.text C:\windows\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 008F0FCA
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00890F6F
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 008900FA
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 008900DF
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00890040
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 0089008E
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 0089006C
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00890F94
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 0089005B
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00890025
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00890F4A
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00890FD4
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00890FC3
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 0089000A
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 008900BD
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00890FEF
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 008900CE
.text C:\windows\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 0089007D
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00990FEF
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00990FAD
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!system 7762B16F 5 Bytes JMP 00990038
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00990FC8
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 0099001D
.text C:\windows\system32\svchost.exe[1496] msvcrt.dll!_wopen 77630570 5 Bytes JMP 0099000C
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 008E0FEF
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 008E0028
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 008E0F90
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 008E0FA1
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 008E0FDE
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 008E0F75
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 008E0FCD
.text C:\windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 008E0FBC
.text C:\windows\system32\svchost.exe[1496] WS2_32.dll!socket 77013F00 5 Bytes JMP 00980FEF
.text C:\windows\system32\svchost.exe[1816] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 008E0000
.text C:\windows\system32\svchost.exe[1816] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 008E002C
.text C:\windows\system32\svchost.exe[1816] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 008E0011
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00550F3F
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 005500B9
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 0055009E
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00550FB9
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00550F50
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00550054
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00550F86
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00550F97
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00550FDE
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 005500CA
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 0055002F
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00550FA8
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00550FEF
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00550079
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00550014
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 00550F1A
.text C:\windows\system32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00550F61
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00980000
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00980FBC
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!system 7762B16F 5 Bytes JMP 00980FD7
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 0098002C
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00980047
.text C:\windows\system32\svchost.exe[1816] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00980011
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00890000
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00890FC0
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00890047
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00890FA5
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 0089001B
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00890058
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 0089002C
.text C:\windows\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00890FDB
.text C:\windows\system32\svchost.exe[1816] WS2_32.dll!socket 77013F00 5 Bytes JMP 00930FEF
.text C:\windows\system32\svchost.exe[2136] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00240000
.text C:\windows\system32\svchost.exe[2136] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 0024001B
.text C:\windows\system32\svchost.exe[2136] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00240FE5
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001E0F43
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001E0F14
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001E00A9
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001E001B
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001E006C
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001E0F5E
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001E0F6F
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001E002C
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001E000A
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001E0F03
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001E0FA5
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001E0F8A
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001E0FEF
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001E0087
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001E0FCA
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001E0098
.text C:\windows\system32\svchost.exe[2136] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001E0051
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00260FEF
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00260F7F
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!system 7762B16F 5 Bytes JMP 00260F90
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00260000
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00260FAB
.text C:\windows\system32\svchost.exe[2136] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00260FD2
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 001F0FEF
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 001F0FA8
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 001F0F7C
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 001F0F8D
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 001F0FDE
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 001F0043
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 001F0FC3
.text C:\windows\system32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 001F0014
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3392] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 69EE9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3392] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 69EE9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\windows\system32\svchost.exe[3456] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 002D000A
.text C:\windows\system32\svchost.exe[3456] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 002D0025
.text C:\windows\system32\svchost.exe[3456] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 002D0FEF
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001A00AC
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001A0F43
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001A00D8
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001A0025
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001A009B
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001A0076
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001A0F94
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001A005B
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001A0FE5
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001A00F3
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001A0FC3
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001A004A
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001A0000
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001A0F68
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001A0FD4
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001A00BD
.text C:\windows\system32\svchost.exe[3456] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001A0F83
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!_open 775F7E48 5 Bytes JMP 002E0000
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 002E0FC1
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!system 7762B16F 5 Bytes JMP 002E0FD2
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 002E0027
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 002E0038
.text C:\windows\system32\svchost.exe[3456] msvcrt.dll!_wopen 77630570 5 Bytes JMP 002E0FE3
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00280FEF
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 0028001B
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00280F83
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00280F94
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 0028000A
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00280040
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00280FD4
.text C:\windows\system32\svchost.exe[3456] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00280FAF
.text C:\windows\system32\svchost.exe[3456] WS2_32.dll!socket 77013F00 5 Bytes JMP 00270000
.text C:\windows\system32\svchost.exe[4364] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00200000
.text C:\windows\system32\svchost.exe[4364] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00200FE5
.text C:\windows\system32\svchost.exe[4364] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00200011
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 001D00D8
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 001D010E
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 001D00F3
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 001D0040
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 001D0FA5
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 001D008E
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 001D007D
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 001D0FC0
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 001D000A
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 001D011F
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 001D0051
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 001D0062
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 001D0FEF
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 001D0F94
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 001D0025
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 001D0F83
.text C:\windows\system32\svchost.exe[4364] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 001D00B3
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00360FE3
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00360038
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!system 7762B16F 5 Bytes JMP 00360FAD
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 0036001D
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00360FC8
.text C:\windows\system32\svchost.exe[4364] msvcrt.dll!_wopen 77630570 5 Bytes JMP 0036000C
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 001F0FEF
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 001F0025
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 001F0F83
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 001F0F94
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 001F0000
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 001F0040
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 001F0FCA
.text C:\windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 001F0FAF
.text C:\windows\system32\svchost.exe[4364] WS2_32.dll!socket 77013F00 5 Bytes JMP 001E0FE5
.text C:\windows\system32\DllHost.exe[5936] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00040000
.text C:\windows\system32\DllHost.exe[5936] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 0004001B
.text C:\windows\system32\DllHost.exe[5936] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00040FE5
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 000100AC
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 000100F3
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 000100D8
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00010014
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00010091
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00010F94
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 0001006C
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00010051
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00010FD4
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00010F39
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 0001002F
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00010040
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00010FEF
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00010F5E
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00010FC3
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 000100BD
.text C:\windows\system32\DllHost.exe[5936] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00010F79
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00060000
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00060FC3
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!system 7762B16F 5 Bytes JMP 0006004E
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00060022
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 0006003D
.text C:\windows\system32\DllHost.exe[5936] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00060011
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 000A0000
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 000A004A
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 000A0FB2
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 000A0FC3
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 000A0FE5
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 000A0FA1
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 000A001B
.text C:\windows\system32\DllHost.exe[5936] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 000A0FD4
.text C:\windows\system32\DllHost.exe[5936] WININET.dll!InternetOpenA 759A4E3C 5 Bytes JMP 00140FE5
.text C:\windows\system32\DllHost.exe[5936] WININET.dll!InternetOpenUrlA 759ABFDE 5 Bytes JMP 00140011
.text C:\windows\system32\DllHost.exe[5936] WININET.dll!InternetOpenW 759DC126 5 Bytes JMP 00140000
.text C:\windows\system32\DllHost.exe[5936] WININET.dll!InternetOpenUrlW 75A0D8D2 5 Bytes JMP 00140FCA
.text C:\windows\Explorer.exe[6036] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 0004000A
.text C:\windows\Explorer.exe[6036] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00040025
.text C:\windows\Explorer.exe[6036] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00040FE5
.text C:\windows\Explorer.exe[6036] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00010F43
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00010F0D
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 000100A2
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00010FC0
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 0001006C
.text C:\windows\Explorer.exe[6036] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00010F6F
.text C:\windows\Explorer.exe[6036] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00010F8A
.text C:\windows\Explorer.exe[6036] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00010047
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00010FDB
.text C:\windows\Explorer.exe[6036] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 00010EFC
.text C:\windows\Explorer.exe[6036] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 0001002C
.text C:\windows\Explorer.exe[6036] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00010FA5
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00010000
.text C:\windows\Explorer.exe[6036] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00010F32
.text C:\windows\Explorer.exe[6036] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 0001001B
.text C:\windows\Explorer.exe[6036] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 00010087
.text C:\windows\Explorer.exe[6036] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00010F5E
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00070FEF
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00070FBC
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00070043
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00070FA1
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00070FDE
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00070F86
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00070FCD
.text C:\windows\Explorer.exe[6036] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 0007001E
.text C:\windows\Explorer.exe[6036] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00080FEF
.text C:\windows\Explorer.exe[6036] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00080F97
.text C:\windows\Explorer.exe[6036] msvcrt.dll!system 7762B16F 5 Bytes JMP 00080FB2
.text C:\windows\Explorer.exe[6036] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00080FCD
.text C:\windows\Explorer.exe[6036] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00080022
.text C:\windows\Explorer.exe[6036] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00080FDE
.text C:\windows\Explorer.exe[6036] WININET.dll!InternetOpenA 759A4E3C 5 Bytes JMP 00BC000A
.text C:\windows\Explorer.exe[6036] WININET.dll!InternetOpenUrlA 759ABFDE 5 Bytes JMP 00BC002C
.text C:\windows\Explorer.exe[6036] WININET.dll!InternetOpenW 759DC126 5 Bytes JMP 00BC001B
.text C:\windows\Explorer.exe[6036] WININET.dll!InternetOpenUrlW 75A0D8D2 5 Bytes JMP 00BC0FDB
.text C:\windows\Explorer.exe[6036] WS2_32.dll!socket 77013F00 5 Bytes JMP 04CC0FEF
.text C:\windows\System32\svchost.exe[6096] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00040000
.text C:\windows\System32\svchost.exe[6096] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 00040FD4
.text C:\windows\System32\svchost.exe[6096] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 00040FEF
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00010098
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00010F28
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 00010F4D
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00010025
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00010F79
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 0001006C
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 00010051
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00010F94
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00010FDE
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 000100D8
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00010FB9
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00010040
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00010FEF
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00010F5E
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00010014
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 000100C7
.text C:\windows\System32\svchost.exe[6096] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00010087
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00120000
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00120038
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!system 7762B16F 5 Bytes JMP 00120FAD
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00120FD2
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 00120027
.text C:\windows\System32\svchost.exe[6096] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00120FE3
.text C:\windows\System32\svchost.exe[6096] WS2_32.dll!socket 77013F00 5 Bytes JMP 00130FE5
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 00190000
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00190036
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 0019005B
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00190FAF
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 0019001B
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 0019006C
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 00190FE5
.text C:\windows\System32\svchost.exe[6096] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00190FCA
.text C:\windows\system32\wuauclt.exe[6152] ntdll.dll!NtCreateFile 77494870 5 Bytes JMP 00040000
.text C:\windows\system32\wuauclt.exe[6152] ntdll.dll!NtCreateProcess 77494940 5 Bytes JMP 0004002C
.text C:\windows\system32\wuauclt.exe[6152] ntdll.dll!NtProtectVirtualMemory 774951C0 5 Bytes JMP 0004001B
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!GetStartupInfoA 76B81DF0 5 Bytes JMP 00010069
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateProcessW 76B8202D 5 Bytes JMP 00010F03
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateProcessA 76B82062 5 Bytes JMP 00010F14
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateNamedPipeW 76BB1FEE 5 Bytes JMP 00010FC0
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreatePipe 76BB4AAB 5 Bytes JMP 00010F40
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!VirtualProtect 76BC50CB 5 Bytes JMP 00010F65
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!LoadLibraryExW 76BCB647 5 Bytes JMP 0001003D
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!LoadLibraryExA 76BCBC13 5 Bytes JMP 00010022
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateFileW 76BD0AFD 5 Bytes JMP 00010011
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!GetProcAddress 76BD17D7 5 Bytes JMP 000100A9
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!LoadLibraryA 76BD2804 5 Bytes JMP 00010FA5
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!LoadLibraryW 76BD2852 5 Bytes JMP 00010F8A
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateFileA 76BD289C 5 Bytes JMP 00010000
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!GetStartupInfoW 76BD7C55 5 Bytes JMP 00010F2F
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!CreateNamedPipeA 76C0D577 5 Bytes JMP 00010FD1
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!WinExec 76C0E739 5 Bytes JMP 0001008E
.text C:\windows\system32\wuauclt.exe[6152] kernel32.dll!VirtualProtectEx 76C0F6F1 5 Bytes JMP 00010058
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!_open 775F7E48 5 Bytes JMP 00080FEF
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!_wsystem 7762B04F 5 Bytes JMP 00080069
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!system 7762B16F 5 Bytes JMP 0008004E
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!_creat 7762ED29 5 Bytes JMP 00080FDE
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!_wcreat 7763038E 5 Bytes JMP 0008003D
.text C:\windows\system32\wuauclt.exe[6152] msvcrt.dll!_wopen 77630570 5 Bytes JMP 00080018
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegOpenKeyA 7725D2ED 5 Bytes JMP 0009000A
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegCreateKeyA 7725D3C1 5 Bytes JMP 00090036
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegCreateKeyExA 77261B71 5 Bytes JMP 00090051
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegCreateKeyW 77261CC0 5 Bytes JMP 00090FAF
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegOpenKeyW 77263129 5 Bytes JMP 00090FE5
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegCreateKeyExW 7726B946 5 Bytes JMP 00090F94
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegOpenKeyExA 7726BC0D 5 Bytes JMP 0009001B
.text C:\windows\system32\wuauclt.exe[6152] ADVAPI32.dll!RegOpenKeyExW 7726BEC4 5 Bytes JMP 00090FCA

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\windows\system32\mfevtps.exe[1388] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00DC77A0] C:\windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\windows\system32\rundll32.exe[1524] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75535E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rundll32.exe[1524] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75535E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rundll32.exe[1524] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75535E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rundll32.exe[1524] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75535E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73682494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73665624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [736656E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipFree] [7368250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73678573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73674D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [736750CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [736751A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [736766D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [736782CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73678819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7367907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7367E21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.exe[6036] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73674C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device volmgr.sys (Volume Manager Driver/Microsoft Corporation)
Device iaStor.sys (Intel Matrix Storage Manager driver - ia32/Intel Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:5844] 9F724730

---- EOF - GMER 1.0.15 ----

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:22 AM

Posted 03 January 2012 - 10:47 AM

Hello, they are not showing here, We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the GMER log you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users