Jump to content

rootkit.tdss will not go away


zguy
 Share

Recommended Posts

Everytime I scan clients PC it says it still has rootkit.tdss on it. and that it can remove it on reboot, but it doesn't

Logs are below....if more info is needed, just ask.

Malwarebytes' Anti-Malware 1.40

Database version: 2729

Windows 5.1.2600 Service Pack 3

9/3/2009 8:01:07 AM

mbam-log-2009-09-03 (08-01-07).txt

Scan type: Quick Scan

Objects scanned: 16546

Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\SKYNETmlqcvatf.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\SKYNETmlqcvatf.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:29:32 AM, on 9/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_service.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe

C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_comm_customer.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_system_customer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_user_customer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ba7hl5fmi.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

Hello zguy,

Start here:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Go >> here <<

and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.

Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Hidden Services

Stealth Objects

You will then be asked which drive to scan.

Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start.

It will take a little while so please be patient. When the scan has finished, click on Save Report.

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of RootRepeal.txt
  • the contents of OTL.txt
  • the contents of Extras.txt
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

I was able to get some relief by KILLing the SKYNet files in system32 folders with GMER. I still have wierd files in my Windows/TEMP Folder, that are being created through out session. ie(mcafee_DGZyi06DAmEHhv4) a 2 Kb File with no extension.

Here are the logs.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/04 04:54

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEEDA4000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D31000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEDA54000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: c:\windows\temp\sqlite_svkk5ssmk9srln0

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_wcyngduaelmf5i5

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_xewcwb7vdtphqhm

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_yustktcwvtoeghj

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_yvrmvnylmvf2ynh

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_98lh4vsolkpbirx

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_aokgwga9phd7gbb

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_jitzulivkksuh9u

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_knaps0jntmkfqji

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_dgzyi06damehhv4

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ht4erp4592fqv1q

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Program Files\Funkitron\Blokus World Tour\Blokus.exe:{FD04D153-80F1-2544-9167-B9E93734E388}

Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Bookworm\Bookworm.exe:{E8EE5CBA-1D72-8810-1E89-0B6E6656641B}

Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Jojo's Fashion Show\JojosFashionShow.exe:{FBAF6648-3B03-0EAE-8125-10963D627681}

Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\THE GAME OF LIFE - PTS\THE GAME OF LIFE - Path to Success.exe:{EFD3D921-5DCB-7BDE-886B-1678D957D8A0}

Status: Visible to the Windows API, but not on disk.

Hidden Services

-------------------

Service Name: SKYNETjrkdchym

Image Path: \

==EOF==

GMER 1.0.15.15077 [rpy20f2x.exe] - http://www.gmer.net

Rootkit scan 2009-09-03 12:46:33

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEEE744EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEEE74498]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEEE744AC]

Code 860119E8 ZwEnumerateKey

Code 86012A88 ZwFlushInstructionCache

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEEE7452A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEEE74470]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEEE74484]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEEE744FE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEEE744D6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEEE744C2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEEE74559]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEEE74540]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEEE74514]

Code 86010D16 IofCallDriver

Code 860108EE IofCompleteRequest

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86010D1B

.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 860108F3

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EEE74518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EEE744EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EEE744C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 860119EC

PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EEE74474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EEE74502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EEE74544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EEE7452E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86012A8C

PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EEE744B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EEE7455D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EEE74488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EEE7449C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP EEE744DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F6F

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070064

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070047

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070036

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FAF

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F37

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007007F

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070EF7

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070090

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700AB

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F9E

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070000

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F5E

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FC0

.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F1C

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FAF

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060040

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDB

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F83

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F94

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]

.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060025

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA6

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB7

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027

.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3

.text C:\WINDOWS\system32\services.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F79

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F8A

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90064

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90047

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90036

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F52

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E9009A

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900B5

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F1C

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900DA

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FAF

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90011

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90089

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FCA

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FDB

.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F37

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E8000A

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80F83

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FAF

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FCA

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F94

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FE5

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80036

.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80025

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70033

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FA8

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FCD

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70022

.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FDE

.text C:\WINDOWS\system32\lsass.exe[728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F4E

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F5F

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70039

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70F7C

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FA1

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70080

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D7006F

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700AC

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F13

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D700BD

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D7001E

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70FDE

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70054

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70FB2

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FCD

.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70091

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60036

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60FAF

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60011

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60000

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60FC0

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FE5

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60062

.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60047

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50081

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5005C

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D5003A

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D5004B

.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D5001D

.text C:\WINDOWS\system32\svchost.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D4000A

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F5C

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F77

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60F88

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60FA5

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B6002C

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B6008C

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60F3A

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600B8

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B600A7

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B60F0E

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60047

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60000

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F4B

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60FC0

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60011

.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60F29

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50FCA

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B5006F

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FDB

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50011

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50FA8

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B50FB9

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D5, 88] {AAD 0x88}

.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50036

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B4003D

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B4002C

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B4001B

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40000

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40FBC

.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FD7

.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F80FEF

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F8009D

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F80078

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F80067

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F80F9E

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F80FB9

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F800D3

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F800B8

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F80124

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F800FF

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01F80F70

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01F80040

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01F8000A

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01F80F8D

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01F80025

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01F80FD4

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01F800EE

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F7002C

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F7003D

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F7001B

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 01F70FEF

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F70F80

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F70000

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegCreateKeyW 77DFBA55 2 Bytes JMP 01F70F9B

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 8A]

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F70FB6

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!_wsystem 77C2931E 5 Bytes JMP 00DB003D

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!system 77C293C7 5 Bytes JMP 00DB002C

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!_creat 77C2D40F 5 Bytes JMP 00DB0011

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!_open 77C2F566 5 Bytes JMP 00DB0000

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FBC

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] MSVCRT.DLL!_wopen 77C30055 5 Bytes JMP 00DB0FE3

.text C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02010FEF

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0201002F

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02010F30

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02010F57

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02010F68

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02010FA8

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02010078

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0201005B

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020100A4

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02010089

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 020100BF

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02010F83

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02010FCA

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0201004A

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02010FB9

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0201000A

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02010F15

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0200002C

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02000F91

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02000011

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02000FE5

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02000058

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02000000

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0200003D

.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02000FB6

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01FB0066

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 01FB004B

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01FB003A

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01FB000C

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01FB0FDB

.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01FB001D

.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C2000A

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 01B10FEF

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01B1000A

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01B1002F

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01B1004A

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0000

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E007D

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E0F88

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0FA5

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E0058

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E0047

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E0F41

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0F52

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E00B5

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E009A

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E0F01

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E0FB6

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0011

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E0F63

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E0FDB

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E002C

.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E0F26

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0036

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D0F94

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008D0025

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D0FEF

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D0FAF

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D0000

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008D0051

.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0FCA

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0FAB

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0036

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0000

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0FEF

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C001B

.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0FC6

.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0000

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A4007D

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F88

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40062

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40051

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40025

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A400BC

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A4009F

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F48

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F59

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40F2D

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40040

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40000

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A4008E

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FC3

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FD4

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A400D7

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3001B

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F83

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A3000A

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FD4

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30F9E

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FB9

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30040

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20F90

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20011

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FB5

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FE3

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20000

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FC6

.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10000

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D000A

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F8B

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0FA6

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0FB7

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0080

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0054

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D00A5

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D0F69

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D00DB

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D00C0

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D0F1D

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0065

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D0FEF

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D0F7A

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D002F

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0FDE

.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D0F38

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01720FD4

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01720F7C

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01720025

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01720FE5

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01720F97

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01720000

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01720FA8

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [92, 89]

.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01720FB9

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01710FC6

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 01710047

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0171001B

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01710FEF

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0171002C

.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01710000

.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 016F0000

.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 016F0011

.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 016F002C

.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 016F003D

.text C:\WINDOWS\Explorer.EXE[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01700FEF

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB00C2

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0FC3

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FD4

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0091

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0062

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0FA8

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00F0

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0126

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F8D

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F68

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FE5

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00D3

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0051

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0036

.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB010B

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0095004A

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009500A2

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0095002F

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0095000A

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950087

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FEF

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0095006C

.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0095005B

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940FA6

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940FB7

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0094001D

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940FC8

.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0094000C

.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00920FEF

.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00920000

.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00920011

.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00920FB6

.text C:\WINDOWS\system32\svchost.exe[1712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETpaafarmg.sys (*** hidden *** ) [sYSTEM] SKYNETjrkdchym <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym@imagepath \systemroot\system32\drivers\SKYNETpaafarmg.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main@aid 10096

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpaafarmg.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules@SKYNETcmd.dll \systemroot\system32\SKYNEToladgjwi.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules@SKYNETlog.dat \systemroot\system32\SKYNETisvlhfno.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules@SKYNETwsp.dll \systemroot\system32\SKYNETmlqcvatf.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjrkdchym\modules@SKYNET.dat \systemroot\system32\SKYNETcxpdmmbu.dat

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym@imagepath \systemroot\system32\drivers\SKYNETpaafarmg.sys

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main@aid 10096

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main@sid 0

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpaafarmg.sys

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules@SKYNETcmd.dll \systemroot\system32\SKYNEToladgjwi.dll

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules@SKYNETlog.dat \systemroot\system32\SKYNETisvlhfno.dat

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules@SKYNETwsp.dll \systemroot\system32\SKYNETmlqcvatf.dll

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjrkdchym\modules@SKYNET.dat \systemroot\system32\SKYNETcxpdmmbu.dat

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Here are the others.

OTL logfile created on: 9/4/2009 4:19:25 AM - Run 2

OTL by OldTimer - Version 3.0.10.7 Folder = C:\RonsTools

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.80 Mb Total Physical Memory | 157.41 Mb Available Physical Memory | 31.81% Memory free

1.13 Gb Paging File | 0.80 Gb Available in Paging File | 71.00% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 40.49 Gb Free Space | 72.45% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MAJESTIC-B727C4

Current User Name: Rick

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

PRC - C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

PRC - C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe (Microsoft Corporation)

PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_comm_customer.exe (Citrix Online, a division of Citrix Systems, Inc.)

PRC - C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_system_customer.exe (Citrix Online, a division of Citrix Systems, Inc.)

PRC - C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_user_customer.exe (Citrix Online, a division of Citrix Systems, Inc.)

PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

PRC - C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe ( )

PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

PRC - C:\RonsTools\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)

SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)

SRV - (GoToAssist Express Customer [Auto | Running]) -- C:\Program Files\Citrix\GoToAssist Express Customer\185\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.)

SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (McAfee SiteAdvisor Service [Auto | Running]) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()

SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

SRV - (McShield [unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

SRV - (MSSQL$GREATPLAINS [Auto | Running]) -- C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (MSSQLServerADHelper [On_Demand | Stopped]) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (Microsoft Corporation)

SRV - (NWDLS [Auto | Stopped]) -- File not found

SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

SRV - (SQLAgent$GREATPLAINS [On_Demand | Stopped]) -- C:\Program Files\Microsoft SQL Server\MSSQL$GREATPLAINS\Binn\sqlagent.EXE (Microsoft Corporation)

SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (MBAMService [Auto | Running]) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

========== Driver Services (SafeList) ==========

DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aeaudio.sys (Andrea Electronics Corporation)

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)

DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)

DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)

DRV - (AR5211 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys (Atheros Communications, Inc.)

DRV - (AWINDIS5 [On_Demand | Running]) -- C:\WINDOWS\System32\AWINDIS5.SYS (AMBIT Microsystems Corporation.)

DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)

DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)

DRV - (mbqIw [unknown | Running]) -- Service key not found. File not found

DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mfehidk [system | Running]) -- C:\WINDOWS\System32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\mferkdk.sys (McAfee, Inc.)

DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfesmfk.sys (McAfee, Inc.)

DRV - (MPFP [system | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)

DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)

DRV - (NETGEAR_WPN511_SERVICE [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\wpn511.sys (Atheros Communications, Inc.)

DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)

DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\smwdm.sys (Analog Devices, Inc.)

DRV - (TVALZ [boot | Running]) -- C:\WINDOWS\system32\DRIVERS\TVALZ.SYS (TOSHIBA Corporation)

DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ialmsbw.sys (Intel Corporation)

DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ialmkchw.sys (Intel Corporation)

DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\wA301a.sys (Intel Corporation)

DRV - (MBAMProtector [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mbam.sys (Malwarebytes Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://news.yahoo.com/ [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com/ [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://news.yahoo.com/ [binary data]

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://mail.yahoo.com/ [binary data]

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)

IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\S-1-5-21-1220945662-606747145-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1220945662-606747145-839522115-1004\S-1-5-21-1220945662-606747145-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/09/01 07:20:59 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:29 | 00,000,000 | ---D | M]

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)

O3 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)

O3 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)

O3 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe ( )

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)

O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)

O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()

O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)

O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()

O4 - HKU\S-1-5-21-1220945662-606747145-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)

O4 - HKU\S-1-5-21-1220945662-606747145-839522115-1004..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1220945662-606747145-839522115-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-21-1220945662-606747145-839522115-1004\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not zguy and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Keep going and do as much as possible.

I'm going to have you run a couple of tools. But first, turn off your McAfee AV "real time" monitors.

Use this as a guide if needed, but do NOT turn off the firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\SKYNETpaafarmg.sys
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe

    Drivers to delete:
    SKYNETjrkdchym

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the C:\Avenger.txt

and the C:\Combofix.txt

Link to post
Share on other sites

  • 4 weeks later...

This thread is closed due to lack of response. The procedures used here were specific to this system and only for this system. Do not apply them to another; doing so will likely damage your system.

If you are a casual observer and having same issues, please follow forum procedures and create your own New topic.

I'm infected - What do I do now?

Procedures to help resolve issues preventing MBAM from running

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.