PC won't recognize camera after Rogue.Antivirussoft

jkal · June 3, 2010

Kind of new to this...yesterday, I contracted a Rogue.AntivirusSoft and Trojan Fraudpack virus. Went through the steps utilizing MalwareBytes and SAS in Safe Mode. All seemed well. However, the PC no longer recognizes the FLIP camera. Plugged into another - it's fine. GOt a new one and it won't even download the software. Says connected, but nothing. My other mass storage devices work: Camera, i-pod, USB drives.

Here's the Log. Any help would be appreciated as a 2-hour call to FLIP's support yielded nothing but taking 2 hours out of my life that I'll never get back. Thanks.

inzanity · June 4, 2010

Hello,

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

The fixes are specific to your problem and should only be used for the issues on this machine.
Do not install/uninstall anything on your computer unless advised.
Do not run any other scanning tools other than those instructed for you to use.
Follow the instructions on the order they are given.
Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

If you are using Win 7/ Vista, you will need to right click and choose "Run as Administrator" to run the tools we will use.

The infection may have corrupted some of your files. Let's dig deeper.

OTL:

Download OTL to your desktop.
Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
Copy and paste the following bold text into the box under Custom Scan
netsvcs
%SYSTEMDRIVE%\*.exe
c:\windows\system32\drivers\*.sys /90
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
CREATERESTOREPOINT
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of the OTL.txt and post it with your next reply along with the Extras.txt log.

--Next--

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"
[*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

To post in your next reply:

1. OTL logs.

2. GMER log.

jkal · June 6, 2010

Here you go...I've attached the files you requested. Thanks again.

Hello,
I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
Do not install/uninstall anything on your computer unless advised.
Do not run any other scanning tools other than those instructed for you to use.
Follow the instructions on the order they are given.
Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.
_________________________________________________
If you are using Win 7/ Vista, you will need to right click and choose "Run as Administrator" to run the tools we will use.
The infection may have corrupted some of your files. Let's dig deeper.
OTL:
Download OTL to your desktop.
Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
Copy and paste the following bold text into the box under Custom Scan
netsvcs
%SYSTEMDRIVE%\*.exe
c:\windows\system32\drivers\*.sys /90
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of the OTL.txt and post it with your next reply along with the Extras.txt log.
--Next--
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.

If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"
[*]Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
To post in your next reply:
1. OTL logs.
2. GMER log.

OTL.Txt

Extras.Txt

ark.txt

inzanity · June 7, 2010

Hi,

No need to quote my instructions when you post and please post the contents of the logs. Don't attach. Thanks.

Can you tell me about this file?

C:\Program Files\monkeyshit\mbam.exe

--Next--

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
rasacd.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

To post in your next reply:

1. Regarding my question above.

2. Systemlook log.

jkal · June 7, 2010

Thanks -

Monkeyshit is what I needed to rename Malwarebytes in order to get it to run after a virus I contracted some months ago.

Here's the log:

Searching for "rasacd.sys"

C:\WINDOWS\system32\dllcache\rasacd.sys --a--c 8832 bytes [12:00 04/08/2004] [12:00 04/08/2004] FE0D99D6F31E4FAD8159F690D68DED9C

C:\WINDOWS\system32\drivers\rasacd.sys --a--- 8832 bytes [12:00 04/08/2004] [12:00 04/08/2004] 74DF2F81B8D7EE4157E8BE1509D791CD

-=End Of File=-

Thanks again

inzanity · June 7, 2010

Hi,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

--Next--

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

jkal · June 8, 2010

Hell -

When trying to download COMBOFIX, MacAfee blocked it and shows it as Artemis Trojan.

inzanity · June 8, 2010

Hi,

That's a false positive. Temporarily disable McAfee for the meantime.

jkal · June 8, 2010

Hello -

Thanks. Had I followed your instructions to disable the Antivirus, this would not have been an issue. Sorry.

Just a few questions before I do that:

You mentioned there might be a few changes (after COMBOFIX) to Internet Explorer - Anything other than IE as default?

Is the fix for AUTORUN (CDs, USBs, etc...) easy to change back after all is well?

Lastly, just curious - have the logs we have run, thus far, revealed something that would have disabled the FLIP camera's ability to work?

Thanks again.

jkal · June 9, 2010

File for COMBO too long - told to reduce. Therefore, I uploaded.

[defogger_disable by jpshortstuff (23.02.10.1)

Log created at 19:05 on 08/06/2010 (Jim)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Thanks again,

Cheers!

ComboFix.txt

inzanity · June 9, 2010

Hi,

Regarding your questions above, CF will not change your IE other than the default. We can re-enable your auto runs after we're through but please keep in mind that in doing so, some infections that rely on it may infect your computer.

For the meantime, am reviewing your logs. Thanks.

inzanity · June 9, 2010

Hi,

It seems that you've run Combofix multiple times in the past.

Note: Running Combofix and other advance tools without proper supervision can render your machine inoperable!

Please go to VirSCAN

Click on Browse.
On the File Upload window, copy/paste the text below into the File name box:
c:\program files\59B770ebQ.exe
Click Upload. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now

Repeat the procedure with the following files:

c:\program files\nzd_crysis_spdemo.exe

c:\program files\winzip111.exe

c:\program files\DivXCodec.exe

Please post the results in your next reply

jkal · June 9, 2010

Virscan won't open in IE or Firefox.

inzanity · June 9, 2010

Hi,

It seems the site is on maintenance. Try jotti.org

jkal · June 9, 2010

Hello -

Nothing Found. I deleted the CRYSIS demo though.

Thanks - does everything else look pretty clean?

inzanity · June 10, 2010

Hi,

Do you still have the Jotti log? If so, please post it.

We have some more work to do.

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL
O20 - AppInit_DLLs: (gerabuse.dll) -  File not found
O20 - AppInit_DLLs: (c:\windows\system32\) - C:\WINDOWS\System32\ [2010/06/02 23:47:32 | 000,000,000 | ---D | M]
O30 - LSA: Security Packages - (ecurity Packages settings...) -  File not found
O30 - LSA: Security Packages - (or) -  File not found

:Services
Setdtlomw

:Commands
[purity]
[emptytemp]
[emptyflash]

Then click the Run Fix button at the top.
Let the program run unhindered, reboot when it is done.
Then post the result and a new OTL log in your next reply. ( don't check the boxes beside LOP Check or Purity this time )

--Next--

Run GMER again with the settings provided in post #2.

To post in your next reply:

1. Jotti log if it's still available.

2. OTL logs.

3. GMER log.

jkal · June 10, 2010

Do you have a preferred site from where I can download OTL.exe?

inzanity · June 10, 2010

Have you already deleted OTL? We used that in the first scan.

Download here -> link

jkal · June 11, 2010

There were no logs (I could see...) that were created from JOTTI. All scans showed: Nothing Found.

Here you go:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls not found.

Item C:\WINDOWS\System32\ is whitelisted and cannot be moved.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:ecurity Packages settings... deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:or deleted successfully.

========== SERVICES/DRIVERS ==========

Service Setdtlomw stopped successfully!

Service Setdtlomw deleted successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 41044 bytes

User: Jim

->Temp folder emptied: 1098689 bytes

->Temporary Internet Files folder emptied: 3832611 bytes

->Java cache emptied: 53762563 bytes

->FireFox cache emptied: 35039748 bytes

->Google Chrome cache emptied: 48801013 bytes

->Flash cache emptied: 2883313 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 131206 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 6906383 bytes

%systemroot%\System32 .tmp files removed: 148728465 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 308882 bytes

RecycleBin emptied: 1905724452 bytes

Total Files Cleaned = 2,105.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: Jim

->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.5.3 log created on 06092010_215354

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-10 19:09:33

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Jim\LOCALS~1\Temp\pxtdypog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2B43620]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2A8478B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2A84822]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2A84739]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2A8474D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2A84836]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2A84862]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2A848D0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2A848BA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2A847CB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2A848FC]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2A8480E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2A84711]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2A84725]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2A8479F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2A84938]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2A848A4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2A8488E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2A8484C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2A84924]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2A84910]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2A84777]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2A84763]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2A84878]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2A848E6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2A847E1]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2A847B5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP B2A847B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2A8478F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B2A847CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B2A847E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP B2A847A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B2A84715 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B2A84729 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP B2A84767 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B2A84751 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP B2A8473D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP B2A8477B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP B2A84892 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B2A8487C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 7 Bytes JMP B2A848EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP B2A848A8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B2A84850 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B2A84826 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B2A8483A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B2A84866 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP B2A848D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP B2A848BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B2A84812 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP B2A8493C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP B2A84914 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP B2A84928 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259B6 5 Bytes JMP B2A84900 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6089380, 0x550AF5, 0xE8000020]

.rsrc C:\WINDOWS\system32\DRIVERS\rasacd.sys entry point in ".rsrc" section [0xB7DBCC14]

.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB1540300, 0x3B6D8, 0xE8000020]

.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8468300, 0x1BEE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F3000A

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F61

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30056

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30039

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30F7C

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FB2

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F3007B

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F33

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F04

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F3009D

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30EE9

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30FA1

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30FEF

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F50

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FCD

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30FDE

.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F3008C

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20FD1

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F80

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20022

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20011

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F9B

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20000

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F20047

.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FC0

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10F92

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FA3

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F1001D

.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3

.text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F75

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D6006A

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F90

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FA1

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D6002F

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F4E

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60096

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600DD

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600C2

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600F8

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60FB2

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D6000A

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D6007B

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60FC3

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FD4

.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600A7

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50036

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50087

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5001B

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5000A

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D5006C

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50047

.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FCA

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40FB5

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40036

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D4000A

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D4001B

.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FC6

.text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FEF

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F8B

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F9C

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10FB9

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10076

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10054

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C100B3

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C100A2

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F50

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100DF

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10104

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10065

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FDE

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10091

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C1002F

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C1001E

.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C100CE

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0001B

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F94

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FD4

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FE5

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00FAF

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00047

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00036

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0FA8

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FB9

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0022

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0033

.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0011

.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00BD0FEF

.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00BD0000

.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00BD0011

.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00BD002C

.text C:\WINDOWS\system32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F6B

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F86

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F97

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FB2

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4004A

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F4009D

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F4008C

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400DA

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400C9

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40F1C

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FC3

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40000

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4007B

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40025

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FD4

.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400B8

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30011

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30062

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30000

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FD4

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F9B

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F3003D

.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F3002C

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F2005A

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20049

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001D

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2002E

.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FEF

.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FE5

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FEF

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F52

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F77

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90051

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90040

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90F9E

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90093

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F41

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F15

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900AE

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900D3

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90025

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FD4

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D9006C

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FAF

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D9000A

.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90F30

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FD4

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D8006C

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80025

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FEF

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80051

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D8000A

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80040

.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FB9

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70053

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70038

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D7000C

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70027

.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FD2

.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60000

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021D0FEF

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021D0F8F

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 021D008E

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 021D0073

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 021D0058

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 021D0022

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021D00C6

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021D00B5

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021D0F37

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021D0F48

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 021D00EB

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 021D0047

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 021D0000

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 021D0F7E

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 021D0011

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 021D0FCA

.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021D0F59

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 021C001B

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 021C005B

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 021C000A

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 021C0FD4

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 021C0F9E

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 021C0FEF

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 021C0040

.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 021C0FAF

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 021B0049

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 021B0038

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 021B0027

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 021B0FEF

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 021B0FC8

.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 021B000C

.text C:\WINDOWS\System32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021A0FEF

.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0219000A

.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02190FEF

.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02190FD4

.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02190025

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00940000

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00940F70

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00940065

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00940F97

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00940054

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940FB2

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009400AC

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00940091

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00940F24

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009400BD

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00940F13

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00940043

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00940FEF

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00940080

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00940FCD

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00940FDE

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00940F3F

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093001B

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F68

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FCA

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F79

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F9E

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b3, 88] {MOV BL, 0x88}

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FAF

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F9C

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FAD

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FD2

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920027

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C

.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690FE5

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690F68

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690067

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690F83

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01690F94

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0169002C

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01690F35

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01690F46

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01690EFF

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690F1A

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01690EEE

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690FA5

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01690FD4

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01690F57

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0169001B

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01690000

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01690098

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50047

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B5009F

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B5002C

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B5001B

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B5008E

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B50073

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50062

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40047

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FBC

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FCD

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40FEF

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40022

.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FDE

.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B3000A

.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00B20FEF

.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00B2000A

.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00B2001B

.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00B2002C

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F92

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70087

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70076

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F7005B

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F7002F

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F700BF

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F77

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700DA

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F4B

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700F5

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70040

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FD4

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F700A2

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F7001E

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FC3

.text C:\WINDOWS\System32\svchost.exe[1648] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F5C

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F6003D

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60F8A

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F6002C

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FA5

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60FB6

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]

.text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FC7

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50036

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50FAB

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50011

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FBC

.text C:\WINDOWS\System32\svchost.exe[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FD7

.text C:\WINDOWS\System32\svchost.exe[1648] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F4000A

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0087

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD006C

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD005B

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0F9E

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0FCA

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F5C

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A2

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F1F

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F30

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00D3

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FAF

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0F77

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FE5

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0036

.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F41

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FCD

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA004D

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0FDE

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA000A

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0F86

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0FEF

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FA0F97

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1A, 89]

.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FB2

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90022

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90011

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FAB

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90000

.text C:\WINDOWS\Explorer.EXE[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FD2

.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F70FE5

.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F70FD4

.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F70FB9

.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F70014

.text C:\WINDOWS\Explorer.EXE[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FE5

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F9F

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00094

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00079

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00068

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00043

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F6C

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F7D

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F1B

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F40

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F00

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00FBC

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00014

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F8E

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FCD

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FDE

.text C:\WINDOWS\system32\svchost.exe[2592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F51

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0036

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0FAF

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0025

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FEF

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF006C

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF000A

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0051

.text C:\WINDOWS\system32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FCA

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FA6

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB7

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE000C

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE001D

.text C:\WINDOWS\system32\svchost.exe[2592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0FEF

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F7A

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0065

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0F8B

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0054

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0FCD

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F38

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D008A

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D00C7

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D00AC

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D0F13

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0FBC

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D0FDE

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D0F69

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D0039

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0014

.text C:\WINDOWS\system32\wuauclt.exe[3020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D009B

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0F99

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B002E

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0FD9

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0000

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B0FBE

.text C:\WINDOWS\system32\wuauclt.exe[3020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B001D

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C0036

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0062

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0025

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0014

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0FAF

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0FEF

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 027C0051

.text C:\WINDOWS\system32\wuauclt.exe[3020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C0FCA

.text C:\WINDOWS\system32\wuauclt.exe[3020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027A0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-19 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-28 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\rasacd.sys suspicious modification

---- EOF - GMER 1.0.15 ----

inzanity · June 11, 2010

Hi,

Do the following steps in Safe Mode with Networking, to do this:

Restart your computer.
Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.

--Next--

While in Safe Mode with Networking:

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
C:\WINDOWS\system32\dllcache\rasacd.sys | C:\WINDOWS\system32\DRIVERS\rasacd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

jkal · June 11, 2010

Will do. However, a question: I've heard of some cases where the pc is unable to reboot after using Avenger. Could you shed some light on that and - if true, provide a workaround. I have a project due Monday and can't afford to have the PC down.

Thanks again for all your help. It is much appreciated.

j

inzanity · June 11, 2010

Hi,

Using any advance tools that we use without proper supervision may render your machine inoperable. This may not be the tool's fault as it may well be the user's or even the infection/s being removed.

Yes, we have a workaround to get your machine up and running if it comes down to it.

jkal · June 11, 2010

A new development - When I woke up this morning, I saw the PC was rebooted and a windows update was the cause. There was also a balloon that said: Malicious software was detected and partially removed - Click to run scan. It was the Windows Malicious Software Removal tool and I clicked it to scan. After an hour, I thought that it could be some Malware and asked my son to cancel the scan. Could this be legit? Or did I really goof?

jkal · June 11, 2010

I assumed the Removal Tool was triggered by the update, and heard that it was a legit Microsoft product. However, I also heard that it's been spoofed. Would Windows Update have gone through if there really was an infected file? Could that file have been COMBOFIX ( I didn't delete it...)? Sorry about this, just worried. Thanks.

inzanity · June 12, 2010

Hi,

Have a screen shot of it when it runs again then post it here. It may have been triggered by an active infection, infections that are already quarantined or maybe our tools.

Were able to run Avenger?

PC won't recognize camera after Rogue.Antivirussoft

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information