Jump to content

lonnie

Honorary Members
 View Profile  See their activity

  • Posts

    27

  • Joined

  • Last visited

Reputation

0 Neutral
  1. lonnie
    Okay, I think I got everything.... Thanks so much for all your help!
  2. lonnie
    Hi, things are running much better. I'm not getting redirected anymore when I click on links, and startup is much faster when I open programs. here is the dds.txt file: DDS (Ver_10-03-17.01) - NTFSx86 Run by Lonnie Hastings at 12:26:04.71 on Sun 05/16/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1348 [GMT -7:00] AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Future Point\Starlight\Bin\SLServerRepository.exe C:\Program Files\Future Point\XEE\Bin\SLXee2ServiceU.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\tbh\monitor\bin\tbhMonitor.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe c:\Program Files\tbh\base\bin\tbhDaemon.exe C:\WINDOWS\system32\rundll32.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\tp4mon.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\tbh\base\bin\tbhSystray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Lonnie Hastings\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [TrackPointSrv] tp4mon.exe mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper mRun: [TpShocks] TpShocks.exe mRun: [TP4EX] tp4ex.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe" mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe" mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\lonnie~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll Notify: tpfnf2 - notifyf2.dll Notify: tphotkey - tphklock.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\lonnie~1\applic~1\mozilla\firefox\profiles\bpgu1pxj.default\ FF - component: c:\documents and settings\lonnie hastings\application data\mozilla\firefox\profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\lonnie hastings\application data\mozilla\firefox\profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\documents and settings\lonnie hastings\application data\mozilla\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll FF - plugin: c:\program files\picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-15 214664] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 93320] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-15 359952] R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-11-15 144704] R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142] R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968] R2 StarlightService;Starlight Server;c:\program files\future point\starlight\bin\SLServerRepository.exe [2009-5-8 811008] R2 StarlightXEEService;Starlight XEE Service;c:\program files\future point\xee\bin\SLXee2ServiceU.exe [2009-5-8 122880] R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-15 79816] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-15 35272] S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ancsq.sys --> c:\windows\system32\drivers\ANCSQ.sys [?] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-15 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-15 40552] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-1-26 18176] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-26 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-1-26 23680] S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2007-11-18 31512] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13840] S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-15 606736] =============== Created Last 30 ================ 2010-05-16 17:20:41 0 d-----w- c:\program files\ESET 2010-05-16 16:40:46 0 d-----w- C:\ComboFix 2010-05-14 19:01:33 0 d-----w- c:\program files\common files\Macrovision Shared 2010-05-14 19:01:14 0 d-----w- c:\program files\Tableau 2010-05-14 17:50:03 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe 2010-05-14 17:50:03 15360 ----a-w- c:\windows\system32\ctfmon.exe 2010-05-13 02:12:13 0 ----a-w- c:\documents and settings\lonnie hastings\defogger_reenable 2010-05-12 20:49:54 18845 ----a-w- c:\documents and settings\lonnie hastings\.recently-used.xbel 2010-05-12 20:00:19 77312 ----a-w- c:\windows\MBR.exe 2010-05-11 15:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-11 15:10:43 0 d-----w- c:\program files\Bonjour 2010-04-22 15:10:15 0 d-----w- c:\windows\hpojp8500a909 2010-04-22 15:09:36 118272 ----a-w- c:\windows\system32\hpf3l082.dll 2010-04-22 15:09:35 271704 ----a-r- c:\windows\system32\hpzids01.dll 2010-04-22 15:09:01 966656 ----a-r- c:\windows\system32\hpwtiop4.dll 2010-04-22 15:09:01 364544 ----a-r- c:\windows\system32\hppldcoi.dll 2010-04-22 15:09:01 309760 ----a-r- c:\windows\system32\difxapi.dll 2010-04-22 15:09:01 294912 ----a-r- c:\windows\system32\hpovst11.dll 2010-04-22 15:09:00 741376 ----a-r- c:\windows\system32\hpwwiax5.dll 2010-04-22 15:08:57 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2010-04-22 15:08:57 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys 2010-04-22 14:43:45 131434 ----a-w- c:\windows\hpwins22.dat 2010-04-22 14:43:45 1075 ------w- c:\windows\hpwmdl22.dat ==================== Find3M ==================== 2010-05-16 12:07:19 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe 2010-04-16 15:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 08:02:04 417792 ------w- c:\windows\system32\dllcache\vbscript.dll 2010-03-10 04:57:43 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll 2010-03-10 04:57:36 1024000 ------w- c:\windows\system32\dllcache\browseui.dll 2010-02-26 19:35:08 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll 2010-02-25 11:17:33 18432 ------w- c:\windows\system32\dllcache\iedw.exe 2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-17 18:57:54 2063744 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 17:37:57 2186880 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-16 17:35:40 2143744 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 17:35:40 2143744 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 16:57:54 2021888 ------w- c:\windows\system32\ntkrnlpa.exe 2010-02-16 16:57:54 2021888 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2006-10-04 18:42:48 774144 ------w- c:\program files\RngInterstitial.dll ============= FINISH: 12:26:25.40 ===============
  3. lonnie
    here is the ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=e828fc0b45f6f349b114a3fc26ab3566 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-05-16 07:14:44 # local_time=2010-05-16 12:14:44 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=5121 16776869 100 96 3270625 26864051 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=100570 # found=1 # cleaned=1 # scan_time=6356 C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP149\A0037349.sys a variant of Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C and the malwarebytes log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4106 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 5/16/2010 10:16:35 AM mbam-log-2010-05-16 (10-16-35).txt Scan type: Quick scan Objects scanned: 120058 Time elapsed: 7 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. lonnie
    here's the new combofix log: ComboFix 10-05-15.03 - Lonnie Hastings 05/16/2010 9:41.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1362 [GMT -7:00] Running from: c:\documents and settings\Lonnie Hastings\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Lonnie Hastings\Desktop\CFScript.txt AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 ))))))))))))))))))))))))))))))) . 2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Tableau 2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe 2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe 2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime 2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour 2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18 2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw 2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909 2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll 2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll 2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll 2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll 2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll 2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll 2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll 2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys 2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard 2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat 2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-16 12:07 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes 2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod 2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple 2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype 2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM 2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0 2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee 2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2 2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google 2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll 2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe 2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((( SnapShot@2010-05-16_16.20.29 ))))))))))))))))))))))))))))))))))))))))) . - 2010-05-13 18:46 . 2010-05-16 12:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-05-13 18:46 . 2010-05-16 16:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2006-08-27 11:40 . 2010-05-16 16:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2006-08-27 11:40 . 2010-05-16 12:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2010-05-16 16:38 . 2010-05-16 16:38 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-26 67128] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrackPointSrv"="tp4mon.exe" [2004-08-04 82432] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256] "TpShocks"="TpShocks.exe" [2005-11-07 106496] "TP4EX"="tp4ex.exe" [2005-10-17 65536] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568] "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208] "suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496] "cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336] "PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800] "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-16 492840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"= "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5191:TCP"= 5191:TCP:The Browser Highlighter XCOM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320] R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142] R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968] R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008] R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880] R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952] S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680] S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2010-05-16 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\ FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ] "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(932) c:\windows\system32\tphklock.dll - - - - - - - > 'explorer.exe'(4324) c:\windows\system32\PROCHLP.DLL c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-05-16 09:45:49 ComboFix-quarantined-files.txt 2010-05-16 16:45 ComboFix2.txt 2010-05-16 16:23 ComboFix3.txt 2010-05-13 15:45 ComboFix4.txt 2009-09-22 16:10 Pre-Run: 21,384,581,120 bytes free Post-Run: 21,362,003,968 bytes free - - End Of File - - 21A79A20FD8CEC0E104D1A6D79156967
  5. lonnie
    here is the combofix log: ComboFix 10-05-15.03 - Lonnie Hastings 05/16/2010 9:13.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1398 [GMT -7:00] Running from: c:\documents and settings\Lonnie Hastings\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 ))))))))))))))))))))))))))))))) . 2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Tableau 2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe 2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe 2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime 2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour 2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18 2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw 2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909 2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll 2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll 2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll 2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll 2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll 2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll 2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll 2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys 2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard 2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat 2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-16 12:07 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes 2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod 2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple 2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype 2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM 2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0 2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee 2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2 2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google 2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll 2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe 2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [N/A] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrackPointSrv"="tp4mon.exe" [2004-08-04 82432] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256] "TpShocks"="TpShocks.exe" [2005-11-07 106496] "TP4EX"="tp4ex.exe" [2005-10-17 65536] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568] "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208] "suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496] "cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336] "PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800] "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-16 492840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"= "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5191:TCP"= 5191:TCP:The Browser Highlighter XCOM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320] R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142] R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968] R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008] R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880] R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952] S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680] S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2010-05-16 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\ FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-16 09:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ] "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(932) c:\windows\system32\tphklock.dll - - - - - - - > 'explorer.exe'(3168) c:\windows\system32\PROCHLP.DLL c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-05-16 09:23:13 ComboFix-quarantined-files.txt 2010-05-16 16:22 ComboFix2.txt 2010-05-13 15:45 ComboFix3.txt 2009-09-22 16:10 Pre-Run: 21,269,475,328 bytes free Post-Run: 21,367,447,552 bytes free - - End Of File - - DC0E0BCABECF2A6DB3C40524F7FFE3AD
  6. lonnie
    here is the latest GMER log: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-16 08:37:52 Windows 5.1.2600 Service Pack 2 Running: foe5824e.exe; Driver: C:\DOCUME~1\LONNIE~1\LOCALS~1\Temp\agtdapob.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA792278A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA7922821] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7922738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA792274C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA7922835] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA7922861] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA79228CF] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA79228B9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA79227CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA79228FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA792280D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA7922710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA7922724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA792279E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA7922937] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA79228A3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA792288D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA792284B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA7922923] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA792290F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA7922776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA7922762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA7922877] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA79227F9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA79228E5] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA79227E0] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA79227B4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504ABC 7 Bytes JMP A79227B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80577F76 5 Bytes JMP A792278E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E3E 7 Bytes JMP A79227CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C4C 5 Bytes JMP A79227E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7222 7 Bytes JMP A79227A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP A7922714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP A7922728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBAA 5 Bytes JMP A7922766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP A7922750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF4C 5 Bytes JMP A792273C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D0456 5 Bytes JMP A792277A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP A79227FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 80620664 7 Bytes JMP A7922891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 806209B2 5 Bytes JMP A7922913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80620C6A 7 Bytes JMP A792287B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80620F32 7 Bytes JMP A79228E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062178C 7 Bytes JMP A79228A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP A792284F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806225BE 5 Bytes JMP A7922825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP A7922839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP A7922865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80622E0A 7 Bytes JMP A79228D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623074 7 Bytes JMP A79228BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP A7922811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 80623CA0 7 Bytes JMP A792293B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 806241C6 5 Bytes JMP A7922927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806242E0 5 Bytes JMP A79228FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01300FE5 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01300F41 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01300F52 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0130002C .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01300F79 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01300F94 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01300073 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01300062 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01300EEE .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01300EFF .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01300EDD .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0130001B .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01300FCA .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01300051 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01300000 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01300FB9 .text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01300F1A .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012F0036 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012F0062 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012F0025 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012F0FE5 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 012F0FA5 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 012F0000 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 012F0047 .text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 012F0FC0 .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012E003D .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!system 77C293C7 5 Bytes JMP 012E0022 .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012E0000 .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012E0FE3 .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012E0011 .text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012E0FD2 .text C:\WINDOWS\system32\svchost.exe[416] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF0FEF .text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 012D0FD4 .text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 012D0FEF .text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 012D0FAD .text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 012D0F9C .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[756] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[756] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FEF .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070080 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F8B .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070065 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070054 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0007002F .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F38 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F49 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F02 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0007009B .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00070EF1 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00070FB2 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0007000A .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070F66 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070FC3 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070FD4 .text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F1D .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060025 .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD4 .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006000A .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0006004A .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00060FEF .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00060FA8 .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [26, 88] .text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00060FB9 .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050040 .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FAB .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC6 .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3 .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005001B .text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000 .text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01110000 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01110F80 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01110075 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01110F9B .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01110FB6 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01110047 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01110F48 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01110F65 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01110F08 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01110F19 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 011100B2 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01110058 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0111001B .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01110086 .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01110FDB .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeA 7C85FE94 3 Bytes JMP 0111002C .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeA + 4 7C85FE98 1 Byte [84] .text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 011100A1 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FC3 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0054 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDE .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0014 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00FF0F97 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00FF0FEF .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00FF0FB2 .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [1F, 89] .text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00FF0039 .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0042 .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FB7 .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FD2 .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE001D .text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE000C .text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FD0000 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0000 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F72 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C0F83 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C0F94 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008C0051 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008C0FAF .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C009F .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C008E .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C00C4 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C0F35 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008C00D5 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008C0036 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008C001B .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008C0F61 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008C0FC0 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008C0FDB .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008C0F46 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B002F .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0065 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FD4 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0000 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 008B0FA8 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 008B0FEF .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 008B0FC3 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [AB, 88] .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 008B004A .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0FB9 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0FD4 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0029 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0000 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0044 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FEF .text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890FEF .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30FEF .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A3007F .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A3006E .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30F94 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30FA5 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30FB6 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A300B0 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A30F68 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A300CB .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F32 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A300DC .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A30047 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A30000 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A30F79 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A30022 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A30011 .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A30F4D .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20022 .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F6F .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20FD1 .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20011 .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A20F8A .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A20000 .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A20F9B .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C2, 88] .text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A20FB6 .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10069 .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10044 .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FEF .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000 .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FDE .text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A1001D .text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A00FE5 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03190000 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03190F76 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03190075 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03190064 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03190047 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03190036 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03190F4F .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03190097 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 031900CD .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 031900BC .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 03190F0F .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 03190FA5 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0319001B .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 03190086 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 03190FCA .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 03190FE5 .text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 03190F3E .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0318000A .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0318005B .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03180FC3 .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03180FDE .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 03180040 .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 03180FEF .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 03180F9E .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [38, 8B] .text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 03180025 .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0317000A .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 03170F7F .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03170FB5 .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03170FE3 .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03170F9A .text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03170FD2 .text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 03150FEF .text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 03160FD4 .text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 03160FE5 .text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 03160FC3 .text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 03160FB2 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B000A .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0056 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F61 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0F72 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B002F .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FB2 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0078 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0067 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00BF .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00AE .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0F01 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0F97 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FEF .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0F46 .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FCD .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0FDE .text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B0093 .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F92 .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FA3 .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029000C .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029001D .text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FD2 .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F94 .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FEF .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002A0051 .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002A0000 .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 002A0FAF .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [4A, 88] .text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002A0036 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A4000A .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A40F77 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A40076 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A40F9C .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A40065 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A40FC3 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A40098 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A40F50 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A40F35 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A400D8 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A400F3 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A40054 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A40FE5 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A40087 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A4002F .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A40FD4 .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A400BD .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30033 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 1 Byte [E9] .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30070 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30022 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30011 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A3005F .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A30000 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A30FBD .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C3, 88] .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A3004E .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20F7F .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20000 .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FAB .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FEF .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20F90 .text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FC6 .text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10FEF .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A8000A .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A8009A .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80089 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80078 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80FAF .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80FCA .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A800BC .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A80F74 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F3E .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A800D7 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A80F19 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A80051 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A80025 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A800AB .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A80FEF .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A80036 .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A80F59 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7002C .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70F97 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A7001B .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FE5 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A70FA8 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A70000 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A70FB9 .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C7, 88] .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A70FCA .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A6005D .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60042 .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6000C .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60027 .text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FD2 .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800078 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800067 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800F83 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800040 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0080002F .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00800F5E .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0080009A .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008000E3 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000D2 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008000F4 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00800FA8 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00800FDE .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00800089 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00800014 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800FC3 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008000B7 .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F001B .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F8A .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FC0 .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FDB .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 007F0FAF .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 007F0000 .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 007F0047 .text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 007F0036 .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E003D .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E002C .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0011 .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FE3 .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC6 .text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0000 .text C:\WINDOWS\System32\svchost.exe[1864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FE5 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0000 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F007C .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F0F87 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F0FA2 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F005F .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F003D .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F0F59 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F0F76 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00D7 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F0F34 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008F0F19 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008F004E .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008F001B .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008F00A1 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008F002C .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008F0FE5 .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008F00BC .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0022 .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E004E .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FDB .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0011 .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 008E0033 .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 008E0000 .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 008E0F9B .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [AE, 88] .text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 008E0FB6 .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D002E .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0FAD .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FD2 .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0FEF .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D001D .text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D000C .text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 008C0FD4 .text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 008C0FEF .text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 008C0FC3 .text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 008C0016 .text C:\WINDOWS\system32\svchost.exe[2044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008B000A .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800F4D .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800F68 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800042 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800F83 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0080000A .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0080007A .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0080005D .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F03 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000A6 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008000B7 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00800025 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00800FD4 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00800F32 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00800FA8 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800FC3 .text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0080008B .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FE5 .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F6F .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0036 .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F001B .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 007F0F94 .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 007F000A .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 007F0FAF .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [9F, 88] .text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 007F0FCA .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FB7 .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0042 .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E001D .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E000C .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC8 .text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FE3 .text C:\WINDOWS\System32\svchost.exe[2136] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0000 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B90000 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B90F8A .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B90F9B .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B90073 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B90062 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B90FC0 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B900AB .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EEE 3 Bytes JMP 00B9009A .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA + 4 7C801EF2 1 Byte [84] .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B900CD .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B90F34 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B90F23 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B90051 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B9001B .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B90F79 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B90FDB .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B90036 .text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B900BC .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80036 .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B8007D .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FEF .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80025 .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B80FC0 .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B8000A .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00B80062 .text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B80051 .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B7005A .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FD9 .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000 .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B7003F .text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70011 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D60000 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D60F54 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D60049 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D60F6F .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D60F80 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D60FB6 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D60F28 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D60F43 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D600B7 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D600A6 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D600C8 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D60F9B .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D60011 .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D6006E .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D60FDB .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D6002C .text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D6008B .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FAF .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F4D .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FCA .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FEF .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00D50F5E .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00D50000 .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00D50F79 .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [F5, 88] .text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00D50F94 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FE5 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0044 .text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0029 .text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00CC0FD4 .text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00CC0FEF .text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00CC0016 .text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00CC0FC3 .text C:\WINDOWS\Explorer.EXE[3092] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CB0000 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02580000 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02580F57 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0258004C .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02580F72 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02580F83 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0258002F .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0258009F .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0258008E .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02580F10 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02580F21 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02580EFF .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02580FA8 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02580FE5 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02580071 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02580FC3 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02580FD4 .text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02580F3C .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02560FB7 .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!system 77C293C7 5 Bytes JMP 02560042 .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0256001D .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02560FEF .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02560FD2 .text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0256000C .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02570036 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02570F9B .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02570025 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02570000 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 02570062 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 02570FE5 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 02570FC0 .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [77, 8A] {JA 0xffffffffffffff8c} .text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 02570047 .text C:\WINDOWS\system32\wuauclt.exe[3156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02550FEF ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ----
  7. lonnie
    Hi, I changed the SATA setting and then started the Recovery console and followed your directions, here is the Results.txt file : ----------------------------------------------------------------- The system cannot find the file or directory specified. A directory or file with the name ctfmon.vir already exists. A directory or file with the name pciide.vir already exists. Overwrite pciide.sys? (Yes/No/All/Quit): 0 file(s) expanded. ----------------------------------------------------------------- Is there something I did wrong? In the recovery console, I typed batch C:\fix.txt C:\Results, and this is what my fix.txt file looks like... ---------------------- ren c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe ctfmon.vir ren c:\windows\system32\ctfmon.exe ctfmon.vir ren C:\WINDOWS\system32\drivers\pciide.sys pciide.vir expand C:\I386\PCIIDE.SY_ C:\WINDOWS\system32\drivers\ -------------------------------------------------------------------------- is there something else I should do at this point or should I go ahead with another GMER scan? Thankyou for all your help!!
  8. lonnie
    IBM thinkpad x60
  9. lonnie
    Hi! I copied and saved the fix.txt file, but when I tried to boot into the recovery console, I got a blue error screen with stop code 0x00000007B. It said to check my computer for viruses and to run chkdsk /f to check my harddrive for corruptions. I did this and then tried again to start the recovery console but got the same error message. thankyou!!!
  10. lonnie
    here are the systemlook results: SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 10:51 on 14/05/2010 by Lonnie Hastings (Administrator - Elevation successful) ========== Filefind ========== Searching for "pciide.*" C:\cmdcons\PCIIDE.SY_ --a--- 1695 bytes [20:51 17/08/2001] [20:51 17/08/2001] DD70748EDC4DB912A6603D87760EE322 C:\I386\PCIIDE.SY_ ------ 1695 bytes [12:00 04/08/2004] [12:00 04/08/2004] DD70748EDC4DB912A6603D87760EE322 C:\WINDOWS\system32\drivers\pciide.sys ------ 3328 bytes [19:02 09/08/2004] [20:51 17/08/2001] CCF5F451BB1A5A2A522A76E670000FF0 -=End Of File=-
  11. lonnie
    I am getting the same blue screen error that I experienced before.... after combofix starts and says it is scanning for infected files, my computer crashes and the error screen says BAD_POOL_CALLER I tried to restart and run it again, but it happens every time... i went through the cycle 5-6 times with no luck.
  12. lonnie
    here is the GMER log: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-13 14:33:29 Windows 5.1.2600 Service Pack 2 Running: foe5824e.exe; Driver: C:\DOCUME~1\LONNIE~1\LOCALS~1\Temp\agtdapob.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9FE7478A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9FE74821] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9FE74738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x9FE7474C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9FE74835] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9FE74861] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0x9FE748CF] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0x9FE748B9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9FE747CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x9FE748FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9FE7480D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x9FE74710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x9FE74724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9FE7479E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0x9FE74937] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0x9FE748A3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0x9FE7488D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9FE7484B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x9FE74923] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x9FE7490F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x9FE74776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x9FE74762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9FE74877] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9FE747F9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0x9FE748E5] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9FE747E0] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9FE747B4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504ABC 7 Bytes JMP 9FE747B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80577F76 5 Bytes JMP 9FE7478E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E3E 7 Bytes JMP 9FE747CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C4C 5 Bytes JMP 9FE747E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7222 7 Bytes JMP 9FE747A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP 9FE74714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP 9FE74728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBAA 5 Bytes JMP 9FE74766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP 9FE74750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF4C 5 Bytes JMP 9FE7473C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D0456 5 Bytes JMP 9FE7477A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP 9FE747FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 80620664 7 Bytes JMP 9FE74891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 806209B2 5 Bytes JMP 9FE74913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80620C6A 7 Bytes JMP 9FE7487B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80620F32 7 Bytes JMP 9FE748E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062178C 7 Bytes JMP 9FE748A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP 9FE7484F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806225BE 5 Bytes JMP 9FE74825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP 9FE74839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP 9FE74865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80622E0A 7 Bytes JMP 9FE748D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623074 7 Bytes JMP 9FE748BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP 9FE74811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 80623CA0 7 Bytes JMP 9FE7493B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 806241C6 5 Bytes JMP 9FE74927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806242E0 5 Bytes JMP 9FE748FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814] ---- User code sections - GMER 1.0.15 ---- .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[156] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0000 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F0087 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F006C .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F0F92 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0FAF .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F003D .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F00BD .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F00AC .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F00E2 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F0F49 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009F0F38 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009F0FC0 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009F0FE5 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009F0F81 .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009F002C .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009F001B .text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009F0F64 .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0FD4 .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E0F94 .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FEF .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0025 .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 009E005B .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 009E000A .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 009E0040 .text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 009E0FC3 .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0067 .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D004C .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FE3 .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D000C .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FD2 .text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D .text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 009C0FE5 .text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 009C0000 .text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 009C001B .text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 009C002C .text C:\WINDOWS\system32\svchost.exe[204] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007E0000 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 013C0FEF .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 013C0F4B .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 013C0036 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 013C0F68 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 013C0F79 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 013C0025 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013C0F2E .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 013C0076 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013C0091 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 013C0EF8 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 013C00AC .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 013C0F9E .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 013C0000 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 013C005B .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 013C0FB9 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 013C0FD4 .text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 013C0F1D .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013B0FCA .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013B005B .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013B001B .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013B0000 .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 013B0F9E .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 013B0FEF .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 013B0FAF .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [5B, 89] .text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 013B002C .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013A0F97 .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!system 77C293C7 5 Bytes JMP 013A0FB2 .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013A0FDE .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013A000C .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013A0FCD .text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013A0FEF .text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 01390FE5 .text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 01390000 .text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 01390FC8 .text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 01390FB7 .text C:\WINDOWS\system32\svchost.exe[348] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DA000A .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00920000 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920F72 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00920F8D .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00920F9E .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00920051 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920FC0 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009200A4 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00920093 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F1F .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00920F3A .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009200D3 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00920FAF .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00920011 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00920082 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00920FD1 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00920022 .text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00920F4B .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00910FC0 .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910F5E .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0091001B .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FEF .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00910F6F .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00910000 .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00910F94 .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [b1, 88] {MOV CL, 0x88} .text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00910FA5 .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00900F90 .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900FAB .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900FC6 .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900000 .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900011 .text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00900FD7 .text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E000A .text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0FEF .text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E0FDE .text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0FCD .text C:\WINDOWS\System32\svchost.exe[676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C000A .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00920000 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920090 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00920075 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00920F9B .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00920058 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920FC7 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00920F6A .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009200B2 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F3E .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009200D7 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00920F2D .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00920FAC .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00920011 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009200A1 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00920033 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00920022 .text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00920F59 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00910FC0 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910F72 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0091001B .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FE5 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00910F83 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00910000 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00910F94 .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [b1, 88] {MOV CL, 0x88} .text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00910FAF .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0090005F .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900044 .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900029 .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900FEF .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900FD4 .text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0090000C .text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E0FEF .text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0000 .text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E0027 .text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0038 .text C:\WINDOWS\System32\svchost.exe[680] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C0FEF .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0000 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F63 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0058 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0047 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0F8A .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FB6 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0069 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F21 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0EF2 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF008B .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FF0EE1 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FF0FA5 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FF0011 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FF0F48 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FF0022 .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FF0FDB .text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FF007A .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FC0 .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80051 .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8001B .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8000A .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B80F94 .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B80FEF .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00B80FAF .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [D8, 88] .text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B8002C .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70049 .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70038 .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000 .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FC8 .text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FE3 .text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00B60FE5 .text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00B60000 .text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00B6001B .text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00B6002C .text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006F0000 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0FE5 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F6B .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0F7C .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0F8D .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0040 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FA8 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0087 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F3F .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0F09 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF0F24 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FF0EF8 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FF002F .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FF0FD4 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FF0F50 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FF001E .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FF0FC3 .text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FF0098 .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FAF .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40062 .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40000 .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E40047 .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E40FE5 .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00E4002C .text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E4001B .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3004E .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FC3 .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30022 .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3003D .text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE .text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E10FEF .text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00E20FEF .text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00E20000 .text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00E20FD4 .text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00E2001B .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EA0000 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EA00A2 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EA0091 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EA0076 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EA0FB9 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EA0FE5 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EA0F77 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EA00BF .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EA0F4B .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EA0F5C .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00EA0F30 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00EA0FCA .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00EA001B .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00EA0F88 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00EA0047 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00EA0036 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00EA00DA .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E90FD1 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90062 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90022 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90011 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E90FA5 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E90000 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00E90FB6 .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [09, 89] .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E9003D .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80FDE .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E8005F .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80044 .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E8000C .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FEF .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80029 .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00E70FEF .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00E7000A .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00E70025 .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00E70042 .text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E00000 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20FE5 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C2009D .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C20082 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C20071 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C20FB2 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C20FD4 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20F83 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C200C9 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C2010B .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C200F0 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C20F4D .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C20FC3 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C2000A .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C200AE .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C20040 .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C2001B .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C20F72 .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FB2 .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10040 .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FC3 .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FDE .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00C1002F .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00C10FEF .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00C10F8D .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a} .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00C1001E .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00031 .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00F9C .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C0000C .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FE3 .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FB7 .text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FD2 .text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00BF0FD4 .text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00BF0FEF .text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00BF001B .text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BE000A .text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A .text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A .text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03540FEF .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0354006E .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03540F79 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03540053 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03540F8A .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03540FA5 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03540F32 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03540F43 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 035400A6 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03540F17 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 035400B7 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0354002C .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 03540000 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 03540F54 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 03540FC0 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 03540011 .text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0354008B .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03530FDB .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03530F8D .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03530036 .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0353001B .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 03530F9E .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 03530000 .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 03530FAF .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [73, 8B] {JAE 0xffffffffffffff8d} .text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 03530FCA .text C:\WINDOWS\System32\svchost.exe[1320] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00B0000A .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03520F86 .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 03520011 .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03520FC6 .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03520000 .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03520FA1 .text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03520FE3 .text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 03510FEF .text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 03510000 .text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 03510FDE .text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 03510031 .text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 03500FE5 .text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B1000A .text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A .text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B0000C .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01AA0000 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01AA009D .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01AA0FA8 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01AA0FB9 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01AA0FCA .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01AA0051 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01AA0F72 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01AA00AE .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01AA0F46 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01AA00D5 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01AA0F2B .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01AA006C .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01AA0FEF .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01AA0F83 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01AA0036 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01AA0025 .text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01AA0F57 .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A90FC3 .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A9005E .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A90014 .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A90FDE .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 01A90FA1 .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 01A90FEF .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 01A90039 .text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 01A90FB2 .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A80F97 .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A80FB2 .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A80FDE .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A80000 .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A80FCD .text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A80FEF .text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenW 771BAF6D 3 Bytes JMP 01A7000A .text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenW + 4 771BAF71 1 Byte [8A] .text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 01A70FEF .text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 01A70FDE .text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 01A7002F .text C:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01A60FEF .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BA000A .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BA0F97 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BA0FA8 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BA0FB9 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BA006C .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BA0FCA .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BA00C2 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BA00B1 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA0109 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA00EE .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00BA0124 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00BA0051 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00BA0025 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00BA0F86 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00BA0FE5 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00BA0036 .text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00BA00D3 .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FCD .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90079 .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90014 .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FDE .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B9005E .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B90FEF .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00B90FB2 .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [D9, 88] .text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B90039 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80036 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80025 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FC6 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FE3 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FB5 .text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80000 .text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E0FE5 .text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0000 .text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E001B .text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0036 .text C:\WINDOWS\system32\svchost.exe[1676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C0000 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00950000 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00950076 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00950065 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00950F97 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0095004A .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00950FB9 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00950F38 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00950F49 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009500AF .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00950F0C .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009500CA .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00950FA8 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00950011 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00950F66 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00950FCA .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00950FDB .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00950F1D .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0094002C .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0094005F .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00940011 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00940000 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0094004E .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00940FEF .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 0094003D .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00940FC0 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0038 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FB7 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FE3 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC8 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E001D .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 001C000A .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 001C0FEF .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 001C0FC8 .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 001C0FB7 .text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001B0FE5 .text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0084000A .text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0085000A .text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0083000C .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0261000A .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02610F70 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02610F81 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02610F9C .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02610065 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02610040 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026100B1 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02610F5F .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 026100CC .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02610F33 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 026100DD .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02610FB9 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02610025 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02610080 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02610FD4 .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02610FEF .text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02610F44 .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025F0FCD .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!system 77C293C7 5 Bytes JMP 025F0058 .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025F0033 .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025F0000 .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025F0FDE .text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025F0FEF .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0260002C .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0260006C .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02600011 .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02600000 .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 02600FA5 .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 02600FE5 .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 02600047 .text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 02600FB6 .text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 025E0FD4 .text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 025E0FE5 .text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 025E0FB7 .text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 025E000A .text C:\WINDOWS\system32\wuauclt.exe[2084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 025D0000 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B3000A .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B30F9B .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B30FAC .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B30086 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B30FC7 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B30058 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B300A1 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B30F59 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B30F34 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B300CD .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B300E8 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B30069 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B3001B .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B30F76 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B30047 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B30036 .text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B300BC .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FCA .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20F94 .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B2001B .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20000 .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B20FAF .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B20FE5 .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00B20051 .text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B20040 .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B10FC7 .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B1005C .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B1003A .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B10000 .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B1004B .text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B1001D .text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00B0000A .text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00B00FEF .text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00B00FD4 .text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00B00027 .text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB000A .text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B1000A .text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AA000C .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0011 .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F86 .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0000 .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FE3 .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FAB .text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FD2 .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0025 .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F9E .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FD4 .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FE5 .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002D0FAF .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002D0000 .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 002D005B .text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002D0040 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device -> \Driver\iaStor \Device\Harddisk0\DR0 8A64DEE4 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  13. lonnie
    i restarted my computer and was able to get combofix to run here is the log: ComboFix 10-05-12.04 - Lonnie Hastings 05/13/2010 8:22.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1370 [GMT -7:00] Running from: c:\documents and settings\Lonnie Hastings\Desktop\Combo-Fix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lonnie Hastings\g2mdlhlpx.exe c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe c:\windows\system32\ctfmon .exe c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime 2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour 2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18 2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw 2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909 2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll 2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll 2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll 2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll 2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll 2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll 2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll 2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys 2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard 2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat 2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes 2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod 2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple 2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-09 15:06 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype 2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM 2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0 2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-02 15:43 . 1980-01-01 07:00 56766 ----a-w- c:\windows\system32\ctfmon.exe 2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee 2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2 2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google 2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll 2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe 2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe </pre> ------- Sigcheck ------- [-] 2010-05-02 15:43 . 1031269290532736167AC627775E8435 . 56766 . . [------] . . c:\windows\system32\ctfmon.exe [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe [7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\ctfmon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [N/A] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrackPointSrv"="tp4mon.exe" [2004-08-04 82432] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256] "TpShocks"="TpShocks.exe" [2005-11-07 106496] "TP4EX"="tp4ex.exe" [2005-10-17 65536] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568] "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208] "suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496] "cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336] "PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800] "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-13 492840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"= "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5191:TCP"= 5191:TCP:The Browser Highlighter XCOM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320] R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142] R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968] R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008] R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880] R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952] S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680] S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22] 2010-05-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\ FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Notify-ACNotify - ACNotify.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 08:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A86CEE4]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3 \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8 \Driver\atapi -> atapi.sys @ 0xb9ede7b4 \Driver\iaStor -> iaStor.sys @ 0xb9e14b58 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684 NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d14ba0 PacketIndicateHandler -> NDIS.sys @ 0xb9d21b21 SendHandler -> NDIS.sys @ 0xb9cff87b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ] "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(968) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\tphklock.dll - - - - - - - > 'explorer.exe'(4328) c:\windows\system32\PROCHLP.DLL c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\WinSCP\DragExt.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\McAfee\MSK\MskSrver.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\TpKmpSVC.exe c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe c:\program files\tbh\base\bin\tbhDaemon.exe c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe c:\windows\system32\tp4mon.exe c:\windows\system32\TpShocks.exe c:\windows\system32\rundll32.exe c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe c:\program files\iPod\bin\iPodService.exe c:\program files\IBM ThinkVantage\Client Security Solution\pwmgr.exe . ************************************************************************** . Completion time: 2010-05-13 08:44:58 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-13 15:44 ComboFix2.txt 2009-09-22 16:10 Pre-Run: 21,563,224,064 bytes free Post-Run: 21,548,728,320 bytes free - - End Of File - - 6836528715548B9E9A5BD29F3F5FAF5F
  14. lonnie
    sorry, it was actually a BAD_POOL_CALLER error....
  15. lonnie
    Hi, Thank you for you help! I just downloaded and tried to run combofix, but as soon as it said it was starting to scan for infected files my computer crashed and a blue error screen showed up with a BAD_POOL_ERROR...
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.