dukebec2 Posted July 27, 2010 ID:291205 Share Posted July 27, 2010 A brief synopsis of what happened: I clicked on a blog last night and the page redirected to a foreign address, and had my system infected before I could kill the browser. It gave me the "Antivir Pro Solution" business at first, but after rebooting in Safe Mode and researching in some forums, I was able to deactivate that by removing the appropriate registry keys. I had McAfee 7 running the whole time, but it evidently couldn't catch this, and it couldn't find it on a system scan. So I upgraded to McAfee VSE 8.7 and did a scan. It found the "FakeAlert-FakeSpy!env.a" and removed it, and also reported evidence of a rootkit, but couldn't find or remove the rootkit. The system was showing signs of an infection, with periodic slowdowns, and the browser getting hijacked to go to foreign and ad sites. I found your forum, downloaded your software (Malwarebytes Anti-Malware) and ran it. It found and removed a number of items, including TDSS rootkits. I rebooted and ran it again, and it says that it can't find anything. Yet symptoms continue, and McAfee still says it sees evidence of a rootkit in operation.So that's where I am. I followed your instructions, and ran DDS and GMER. Unfortunately I can not get a complete run of GMER--every time it reaches the registry/files phase, it either gives a Blue Screen of Death or dies on a GPF somewhere during the run. So I have instead saved a log from right after it starts the registry scan. I can try further to get a full log if you want, but I thought I'd send you what I have now and see if that is enough to get somewhere. I've attached those logs as instructed, and I've also added two MBAM logs, one from the first run (which removed stuff) and the second from the post-clean run (which can't find anything).Thanks so much, in advance, for your help!Best Regards,BrianDDS log follows:DDS (Ver_10-03-17.01) - NTFSx86 Run by Brian at 1:02:12.37 on Tue 07/27/2010Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_12Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.409 [GMT -4:00]AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\Java\jre1.5.0_12\bin\jusched.exeC:\Program Files\Network Associates\Common Framework\udaterui.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\MozyHome\mozystat.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Palm\HOTSYNC.EXEsvchost.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\System32\frxhser.exeC:\WINDOWS\system32\frxhapp.exeC:\WINDOWS\System32\inetsrv\inetinfo.exeC:\Program Files\McAfee\VirusScan Enterprise\engineserver.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\mfevtps.exeC:\Program Files\MozyHome\mozybackup.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\Network Associates\Common Framework\McTray.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\McAfee\VirusScan Enterprise\mcshield.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Java\jre1.5.0_12\bin\jucheck.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Brian\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuDefault_Page_URL = hxxp://www.dell.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\windows\googletoolbar6.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dllTB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\windows\googletoolbar6.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [frxmxins] frxmxinsmRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKeymRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"mRun: [<NO NAME>] mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXEmRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exemRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRunOnce: [FGLRXDetectPnPMonitor] rundll32 fglrxmon.dll,MonitorDetectStartupFolder: c:\docume~1\brian\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\brian\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exeIE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htmIE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htmIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: Aurigma Image Uploader 2.0 - hxxp://www.photogize.com/PhotogizeImageUploader.cabDPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cabDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {2C970395-272E-40F6-AFD8-108A9C729FCF} - hxxp://www1.adoramapix.com/Components/adoramapix.cabDPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cabDPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cabDPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/0251e5984f046df29d04/netzip/RdxIE601.cabDPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cabDPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cabDPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cabDPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - file://c:\inetpub\wwwroot\tsweb\msrdp.cabDPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.adoramapix.com/components/ImageUploader3.cabDPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cabDPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://www.berkeley.edu/webcams/camera.cabDPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.smugmug.com/photos/activex/XUpload.ocxDPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - hxxp://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cabTCP: {8B5DDA94-2C4F-4B05-A40C-2D0F1EEC12AD} = 24.25.4.106,24.25.4.107============= SERVICES / DRIVERS ===============R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-26 343920]R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-8-7 221184]R2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1980-1-1 53248]R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-1-6 22816]R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-8-25 103744]R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-1-6 147472]R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-1-6 66896]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-7-26 70728]R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]R3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1980-1-1 417059]R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-26 91832]R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-26 43288]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-26 66600]S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]S4 MSSQL$VSdotNET;MSSQL$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSdotNET [?]S4 SQLAgent$VSdotNET;SQLAgent$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSdotNET [?]=============== Created Last 30 ================2010-07-27 03:21:27 0 d-----w- c:\docume~1\brian\applic~1\Malwarebytes2010-07-27 03:21:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-07-27 03:21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-07-27 03:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-07-27 03:21:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-07-27 00:45:07 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys2010-07-27 00:45:06 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys2010-07-27 00:45:05 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2010-07-27 00:45:03 91832 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2010-07-27 00:45:03 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys2010-07-27 00:45:01 343920 ----a-w- c:\windows\system32\drivers\mfehidk.sys2010-07-27 00:45:00 70728 ----a-w- c:\windows\system32\mfevtps.exe2010-07-27 00:19:36 0 d-----w- c:\program files\McAfee2010-07-27 00:19:36 0 d-----w- c:\program files\common files\McAfee2010-07-27 00:17:44 0 d-----w- c:\program files\common files\Cisco Systems2010-07-26 23:51:21 0 d-----w- C:\McAfee_ase2010-07-26 23:22:59 97168 ---ha-w- c:\windows\system32\mlfcache.dat2010-07-26 23:07:05 2775 ----a-w- c:\windows\ikoxusoyaqo.dll2010-07-09 01:51:30 0 d-----w- c:\program files\iPod2010-07-09 01:50:55 0 d-----w- c:\program files\iTunes2010-07-09 01:50:55 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}==================== Find3M ====================2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe2010-05-14 07:15:19 11780792 ----a-w- c:\documents and settings\all users\Tempmozy-update-aae5499c7263a63d49c6c545d4b0cc48.exe2010-05-04 07:11:35 11803032 ----a-w- c:\documents and settings\all users\Tempmozy-update-dbf6d1a7e6e436b2d25c56196375b22f.exe2003-07-02 04:20:26 722 ----a-w- c:\program files\INSTALL.LOG============= FINISH: 1:04:28.98 ===============attach.zipmbam_log_2010_07_26__23_59_02_.txtmbam_log_2010_07_27__00_50_24_.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 27, 2010 ID:291218 Share Posted July 27, 2010 Hello dukebec2 and welcome to Malwarebytes. Please follow these guidelines while we work on your PC:[*]Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I Link to post Share on other sites More sharing options...
dukebec2 Posted July 28, 2010 Author ID:291568 Share Posted July 28, 2010 Very sorry not to reply sooner! The forum says that I am set to receive email notifications of replies, but I didn't get one, and I just assumed that no one had gotten to it yet. I didn't check back until a few hours ago. I'll know to check much more regularly from here on, emails or not.I downloaded Rootkit Unhooker earlier this evening and followed your instructions. Unfortunately, I have not been able to get a file scan to work--it seems to hang each time at the point of getting the list of files and directories on C:\. It doesn't blue screen or segfault, it just hangs. At first there is disk and processor activity, but after 10-15 minutes that all stops. Also, at that point the Cancel button stops working, and Windows indicates that the program is Not Responding. Not sure what that is all about.So I ran it with "files" unchecked, and here is what I've got. I'll try again one more time to run the file scan, but I'll keep monitoring the forum to see if you reply.Incidentally, I did get the message about RkU detecting a parasite inside itself. I clicked through, and it said that it had removed it. If it is helpful, it was an "unknown remote thread" at address 0x77DE4CE3, in advapi32.dll. The entry point is the same after restarting the program and also after rebooting the computer and restarting the program.RkU log:RkU Version: 3.8.388.590, Type LE (SR2)==============================================OS Name: Windows XPVersion 5.1.2600 (Service Pack 2)Number of processors #2==============================================>Drivers==============================================0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2252800 bytes (Microsoft Corporation, NT Kernel & System)0x804D7000 PnpManager 2252800 bytes0x804D7000 RAW 2252800 bytes0x804D7000 WMIxWDM 2252800 bytes0xBF800000 Win32k 1851392 bytes0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)0xBFA11000 C:\WINDOWS\System32\fglrx3d2.dll 880640 bytes (ATI Technologies Inc. , ati3d2ag.dll)0xF683B000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 839680 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)0xF73DC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)0xF692C000 C:\WINDOWS\system32\drivers\smwdm.sys 540672 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )0xB8243000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)0xF6A56000 C:\WINDOWS\System32\DRIVERS\fglrxm.sys 417792 bytes (ATI Technologies Inc., ATI FGL Miniport Driver)0xF6789000 C:\WINDOWS\System32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)0xB9798000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)0xB3FBB000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)0xF7342000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)0xF673A000 C:\WINDOWS\system32\drivers\btaudio.sys 323584 bytes (Broadcom Corporation., Bluetooth Audio Device)0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)0xB3588000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)0xB985A000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 241664 bytes (Roxio, CD-UDF NT Filesystem Driver)0xBF9D6000 C:\WINDOWS\System32\fglrx.dll 241664 bytes (ATI Technologies Inc., ATI FGL Windows XP Display Driver)0xEC539000 C:\WINDOWS\System32\DRIVERS\Dot4.sys 208896 bytes (Microsoft Corporation, One Cool Transport)0xB9815000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)0xF67E2000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)0xF7520000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)0xF73AF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)0xB426A000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)0xB3426000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)0xB8337000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)0xB8BCA000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)0xF74CA000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)0xF6908000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))0xF69CF000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)0xB364E000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))0xF6A06000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)0xB8947000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)0xB8EDF000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)0x806FD000 ACPI_HAL 134400 bytes0x806FD000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)0xF7492000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)0xF74F0000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)0xF69B0000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 126976 bytes (Roxio, Win2000 Framework for Packet Write Driver)0xF7394000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)0xF6A29000 C:\WINDOWS\System32\DRIVERS\e1000325.sys 102400 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.1 deserialized driver)0xF74B2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)0xF7469000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)0xF6824000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))0xB378D000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)0xB4454000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)0xF69F2000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)0xF6A42000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)0xB97F0000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)0xEC526000 C:\WINDOWS\system32\DRIVERS\mozy.sys 77824 bytes (Mozy, Inc., Mozy Change Monitor Filter Driver)0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)0xF7480000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)0xF750F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)0xF6813000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)0xB4D88000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)0xF75DF000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)0xF75EF000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 61440 bytes (Roxio, CDR4_XP CDR Helper)0xF6B1C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)0xF6B3C000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)0xB4CF8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)0xF76AF000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)0xB9CD1000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)0xF6B4C000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)0xF75AF000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)0xF77DF000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)0xF6B0C000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)0xF758F000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)0xF6AEC000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)0xF75BF000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)0xF6B2C000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)0xF757F000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)0xF6AFC000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)0xF6ABC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)0xB45AB000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)0xF6ACC000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)0xF759F000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)0xF76BF000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)0xEF83F000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)0xF77CF000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)0xF756F000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)0xB459B000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)0xF6ADC000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)0xB9A15000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)0xB99F5000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)0xF771F000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)0xB9D98000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)0xF784F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)0xEE85C000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)0xF791F000 C:\WINDOWS\System32\drivers\NetAlrt.sys 28672 bytes (Intel Corporation, Netalrt Driver)0xF77EF000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)0xF7847000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)0xB9D88000 C:\WINDOWS\system32\drivers\btserial.sys 24576 bytes (Broadcom Corporation., Bluetooth Serial Driver for Windows 2000)0xF7867000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)0xEE854000 C:\WINDOWS\System32\DRIVERS\dot4usb.sys 24576 bytes (Microsoft Corporation, DOT4USB filter driver)0xF786F000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)0xF7857000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)0xF7897000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))0xF785F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)0xF78C7000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)0xB9DA8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)0xEE864000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)0xB9DA0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)0xF788F000 C:\WINDOWS\System32\DRIVERS\omci.sys 20480 bytes (Dell Computer Corporation, OMCI Device Driver)0xF77F7000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)0xF787F000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)0xF7887000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)0xF7877000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)0xF783F000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)0xB5337000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)0xF7987000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)0xEC424000 C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys 16384 bytes (Microsoft Corporation, Dot4 Printer Driver)0xF6C9E000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)0xB5864000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)0xB3DC3000 C:\WINDOWS\System32\drivers\PlatAlrt.sys 16384 bytes (Intel Corporation, Platalrt Driver)0xF72F9000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)0xF797F000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)0xF7983000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)0xB4491000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)0xEFB2E000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)0xF72E9000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)0xBAE03000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)0xF7ACD000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)0xF7AA5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)0xF7A73000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)0xF7AA3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)0xF7B2F000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)0xF7A6F000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)0xF7AA9000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)0xB5A21000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)0xF7AAB000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)0xF7ACF000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)0xF7ADB000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)0xF7A71000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)0xF7BC4000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)0xF7BF5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)0xB9FC8000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)0xF7B37000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)!!!!!!!!!!!Hidden driver: 0x86EFDAEA ?_empty_? 1302 bytes!!!!!!!!!!!Hidden driver: 0x86EB49A0 ?_empty_? 0 bytes==============================================>Stealth==============================================0xF74B2000 WARNING: suspicious driver modification [atapi.sys::0x86EFDAEA]0xF7A73000 WARNING: Virus alike driver modification [dmload.sys], 8192 bytes==============================================>Hooks==============================================ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057D3BC-->F7363666 [mfehidk.sys]ntoskrnl.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x805C0C00-->F7363614 [mfehidk.sys]ntoskrnl.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x8058AB14-->F7363628 [mfehidk.sys]ntoskrnl.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x8057E713-->F73636A6 [mfehidk.sys]ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x80579084-->F73635D8 [mfehidk.sys]ntoskrnl.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805B1337-->F73635EC [mfehidk.sys]ntoskrnl.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x80579399-->F736367A [mfehidk.sys]ntoskrnl.exe-->NtSetContextThread, Type: Inline - RelativeJump 0x80633DA3-->F7363652 [mfehidk.sys]ntoskrnl.exe-->NtSetInformationProcess, Type: Inline - RelativeJump 0x80581B25-->F736363E [mfehidk.sys]ntoskrnl.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x8058C39D-->F73636D5 [mfehidk.sys]ntoskrnl.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x8057E29B-->F73636BC [mfehidk.sys]ntoskrnl.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80509034-->F7363690 [mfehidk.sys][1012]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1012]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1012]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1012]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1012]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1012]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1012]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1012]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1084]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1084]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1084]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1084]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1084]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1084]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1084]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1176]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1176]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1176]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page][1176]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page][1176]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page][1176]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page][1176]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page][1176]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page][1176]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1176]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1176]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1176]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1176]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1252]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1252]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1252]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1252]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1252]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1252]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1252]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1356]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1356]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1356]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1356]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1356]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1356]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1356]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1696]inetinfo.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1696]inetinfo.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1696]inetinfo.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1696]inetinfo.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1696]inetinfo.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1696]inetinfo.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1696]inetinfo.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][1848]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][1848]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][1848]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page][1848]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page][1848]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page][1848]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page][1848]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page][1848]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page][1848]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][1848]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][1848]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][1848]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][1848]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][2124]wuauclt.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][2124]wuauclt.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page][2124]wuauclt.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page][2124]wuauclt.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page][2124]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page][2124]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page][2124]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][2228]FrameworkService.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][2228]FrameworkService.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][2228]FrameworkService.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][2228]FrameworkService.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][2228]FrameworkService.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][2228]FrameworkService.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][2228]FrameworkService.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][2400]naPrdMgr.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][2636]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][2636]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][2636]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][2636]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][2636]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][2636]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][328]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][328]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][328]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][328]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][328]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][328]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][328]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][828]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][828]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][828]services.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][828]services.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][828]services.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][828]services.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][828]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00000000 [unknown_code_page][840]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00000000 [unknown_code_page][840]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00000000 [unknown_code_page][840]lsass.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [unknown_code_page][840]lsass.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [unknown_code_page][840]lsass.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998439-->00000000 [unknown_code_page][840]lsass.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->00000000 [unknown_code_page][840]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00000000 [unknown_code_page]!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =) Link to post Share on other sites More sharing options...
dukebec2 Posted July 28, 2010 Author ID:291574 Share Posted July 28, 2010 Correction: There doesn't seem to be any processor activity from RkU after starting the file scan (as measured by taskmgr). I'll leave it open overnight, but I don't expect it do anything, based on what I'm seeing so far. Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 28, 2010 ID:291725 Share Posted July 28, 2010 Hi, What you posted is sufficient. I'll have some instructions for you a little later. Link to post Share on other sites More sharing options...
dukebec2 Posted July 28, 2010 Author ID:291746 Share Posted July 28, 2010 Well, I left it overnight, and it did do something. Here's the log:RkU Version: 3.8.388.590, Type LE (SR2)==============================================OS Name: Windows XPVersion 5.1.2600 (Service Pack 2)Number of processors #2==============================================>Files==============================================!-->[Hidden] C:\cygwin\etc\bash.bashrc::$DATA!-->[Hidden] C:\cygwin\etc\DIR_COLORS::$DATA!-->[Hidden] C:\cygwin\etc\profile::$DATA!-->[Hidden] C:\cygwin\etc\skel\.bash_profile::$DATA!-->[Hidden] C:\cygwin\home\brian\.history::$DATA!-->[Hidden] C:\cygwin\home\brian\.ssh\known_hosts!-->[Hidden] C:\Inbound\becmisc.h::$DATA!-->[Hidden] C:\Inbound\Commentary on Absolute Pitch Article.pdf::$DATA!-->[Hidden] C:\Inbound\crs_comparison.eps::$DATA!-->[Hidden] C:\Inbound\Dichotomy and Perceptual Distortions in Absolute Pitch.pdf::$DATA!-->[Hidden] C:\Inbound\dissertation.doc::$DATA!-->[Hidden] C:\Inbound\dissertation.doc::$DATA!-->[Hidden] C:\Inbound\dissertation.doc::$DATA!-->[Hidden] C:\Inbound\dissertation.doc::$DATA!-->[Hidden] C:\Inbound\Jaravine et al.pdf::$DATA!-->[Hidden] C:\Inbound\Long Abstract.doc::$DATA!-->[Hidden] C:\Inbound\nmrdata.cpp::$DATA!-->[Hidden] C:\Inbound\pr.cpp::$DATA!-->[Hidden] C:\Inbound\pr.h::$DATA!-->[Hidden] C:\Inbound\prsp.cpp::$DATA!-->[Hidden] C:\Inbound\PR_NMR_SEQUENCE_PACKAGE.tar::$DATA!-->[Hidden] C:\Inbound\qcss_0.25_xyzrnd_pattern.txt::$DATA!-->[Hidden] C:\Inbound\qcss_0.2_xyzrnd_pattern.txt::$DATA!-->[Hidden] C:\Inbound\qcss_0.45_xyzrnd_pattern.txt::$DATA!-->[Hidden] C:\Inbound\qcss_0.75_pattern.txt::$DATA!-->[Hidden] C:\Inbound\radial_sampling_sim.tif::$DATA!-->[Hidden] C:\Inbound\rad_54_control.txt::$DATA!-->[Hidden] C:\Inbound\Review of Jaravine et al.doc::$DATA!-->[Hidden] C:\Inbound\Short Abstract.doc::$DATA!-->[Hidden] C:\Inbound\split_rad_into_projs.cpp::$DATA!-->[Hidden] C:\Inbound\src\becdft.h::$DATA!-->[Hidden] C:\Inbound\src\becmisc.h::$DATA!-->[Hidden] C:\Inbound\src\becplot.cpp::$DATA!-->[Hidden] C:\Inbound\src\becplot.h::$DATA!-->[Hidden] C:\Inbound\src\dft4dopt.cpp::$DATA!-->[Hidden] C:\Inbound\src\dft4dopt.sln::$DATA!-->[Hidden] C:\Inbound\src\dft4dopt.suo::$DATA!-->[Hidden] C:\Inbound\src\dft4dopt.vcproj::$DATA!-->[Hidden] C:\Inbound\src\fdatap.h::$DATA!-->[Hidden] C:\Inbound\src\make_4d_example.cpp::$DATA!-->[Hidden] C:\Inbound\src\nmrdata.cpp::$DATA!-->[Hidden] C:\Inbound\src\nmrdata.h::$DATA!-->[Hidden] C:\Inbound\src\nmrplot.cpp::$DATA!-->[Hidden] C:\Inbound\src\nmrplot.h::$DATA!-->[Hidden] C:\Inbound\src\nmr_dft4d.h::$DATA!-->[Hidden] C:\Inbound\src\nmr_dft4d_gui.cpp::$DATA!-->[Hidden] C:\Inbound\src\nmr_dft4d_gui.h::$DATA!-->[Hidden] C:\Inbound\src\nmr_dft4d_impl.h::$DATA!-->[Hidden] C:\Inbound\src\pr.cpp::$DATA!-->[Hidden] C:\Inbound\src\pr.h::$DATA!-->[Hidden] C:\Inbound\src\ptdist3d.h::$DATA!-->[Hidden] C:\Inbound\transpose.tar.gz::$DATA!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\00813F57C0CBB9A83349C874FD014078!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\08A1C9C30288A186F932D2F6CE954534!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\0A4D0CC7B410DEEFB8FA9F1266E32BEA!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\1B9435E949F2B3D267BABDE0C8BC19A6!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\9CD8982C888AB544945893084BD7523A!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B681B8816EE79EAEAA5CA7DA9EC0DC58!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\D725F3459E2275E9EA5871B92AD896D0!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\00813F57C0CBB9A83349C874FD014078!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\08A1C9C30288A186F932D2F6CE954534!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\0A4D0CC7B410DEEFB8FA9F1266E32BEA!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\1B9435E949F2B3D267BABDE0C8BC19A6!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\9CD8982C888AB544945893084BD7523A!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B681B8816EE79EAEAA5CA7DA9EC0DC58!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7!-->[Hidden] C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\D725F3459E2275E9EA5871B92AD896D0!-->[Hidden] C:\WINDOWS\SYSTEM32\Logfiles\MSFTPSVC1\ex100728.log!-->[Hidden] C:\WINDOWS\SYSTEM32\Logfiles\W3SVC1\ex100728.log!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =) Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 28, 2010 ID:291776 Share Posted July 28, 2010 dukebec2, You are infected with a Rootkit. I recommend that you limit your online activity until we have your system clean and change all your passwords from a different, clean computer. Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.To properly disable McAfee Security Center, open McAfee Security CenterUnder Common Tasks click on HomeClick Computer FilesClick ConfigureMake sure the following are disabled by ticking the "Off" button.Virus protectionSpyware protectionSystem Guards ProtectionScript Scanning Protection (you may have to scroll down to see it)[*]Next, select never for "When to re-enable real time scanning"[*]Click OK. Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.Please include the following in your next post:ComboFix log Link to post Share on other sites More sharing options...
dukebec2 Posted July 28, 2010 Author ID:291834 Share Posted July 28, 2010 ComboFix installed the Windows Recovery Console and had just started the malware scan when it blue screened. The error was BAD_POOL_CALLER with codes: 0x000000C2 (0x00000040, 0x00000000, 0x80000000, 0x00000000)It did not leave behind a log file. Per your instructions, I have not done anything more.P.S. For your instructions on security software, note that McAfee VirusScan has a different UI. There's no security center, but rather a "VirusScan Console." I disabled everything in the console before starting ComboFix. Interestingly, it reactivated two of its security features, the "Buffer Overflow Protection" and "On-Access Scanner," automatically on reboot, and I can't find an option to control that behavior. I suppose that's what you normally want, but if ComboFix wants to do reboots this might interfere. But not an issue this time since we didn't get that far... Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 28, 2010 ID:291941 Share Posted July 28, 2010 dukebec2,McAfee is notorious for interfering with ComboFix. Please try to run it in the Safe Mode Link to post Share on other sites More sharing options...
dukebec2 Posted July 28, 2010 Author ID:292016 Share Posted July 28, 2010 I rebooted in Safe Mode, and ComboFix complained that McAfee was still active. I couldn't see any McAfee processes running, and the VirusScan Console said that everything was off, but ComboFix insisted there was something there. So I uninstalled McAfee entirely. I can put it back on easily enough when this process is over.ComboFix ran and did some things, including reporting a rootkit, rebooting, scanning, rebooting again. It then produced the attached log.ComboFix.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 29, 2010 ID:292077 Share Posted July 29, 2010 dukebec2,That was probably the eaiest thing to do, sorry for the inconvienience. Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::Driver::42C60A95File::c:\windows\SYSTEM32\42C60A95.exeRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"frxmxins"=-KillAll::Save this as CFScript to your desktop.Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.Open MBAMClick the Update tabClick Check for UpdatesIf an update is found, it will download and install the latest version.The program will close to update and reopen.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Please include the following in your next post:OTM logMBAM log Link to post Share on other sites More sharing options...
dukebec2 Posted July 29, 2010 Author ID:292114 Share Posted July 29, 2010 I fed that script to ComboFix, and it did its thing. It ran through the scan, then said that it was deleting 42C60A95.exe. It then rebooted the system. After it put up "Preparing log file," it displayed the following:-R6025 pure virtual function calland Windows simultaneously reported an unhandled exception in PEV.exe. I clicked OK to kill PEV.exe. ComboFix eventually produced its log, which I've attached.I then ran MBAM. It updated its database but not its engine, then scanned and found nothing. The log is attached.ComboFix.txtmbam_log_2010_07_28__22_56_22_.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 29, 2010 ID:292280 Share Posted July 29, 2010 dukebec2,Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 21. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."Click the "Download" button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java version.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel. Using Internet Explorer or Firefox, visit Kaspersky Online Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions.2. To optimize scanning time and produce a more sensible report for review:Close any open programsTurn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.3. Click Run at the Security prompt.The program will then begin downloading and installing and will also update the database.Please be patient as this can take quite a long time to download.Once the update is complete, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:Spyware, adware, dialers, and other riskwareArchivesE-mail databases[*]Click on My Computer under the green Scan bar to the left to start the scan. [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. [*]Click View report... at the bottom.[*] Click the Save report... button.[*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next replyPlease include the following in your next post:Kaspersky log Link to post Share on other sites More sharing options...
dukebec2 Posted July 29, 2010 Author ID:292551 Share Posted July 29, 2010 Well, that took awhile...7 hours and 14 minutes, I think it said, for the Kaspersky scan. I've attached the log.KasReport.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 30, 2010 ID:292600 Share Posted July 30, 2010 dukebec2, One of the infections identified by Kaspersky is in your Outlook email. Unfortunately Kaspersky is unable to identify which particular email is infected, so delete any emails from anyone you don't know or any that have attachments, such as jokes, videos etc. (don't open them to check). The infected items are in these two folders:C:\Documents and Settings\Brian\My Documents\Mail Files\archive.pstC:\Documents and Settings\Brian\My Documents\Mail Files\backup.pstOther that those, your logs look good! All we have left to do is another update and some very important cleanup: Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Go HERE to scan for any other out of date and/or vulnerable applications on your computer and follow the instructions given for updating them. Uninstall ComboFix Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:Combofix /Uninstall Delete the following tools along with any other logs you saved from our work:DDSGMERRootkit Unhooker Download TFC to your desktopClose any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run,Click the Start button to begin the process.Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete clean Finally, I'd like to make a couple of suggestions to help you stay clean in the future:Restart any anti-malware programs that we disabled while we were cleaning your machine.Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.Consider running in a limited user account. See this post for more information.Please carefully review the information in our Security - Best Practices and Prevention forum located HEREPlease post once more so I know you are all set and I can close this thread. Good luck and stay safe! Link to post Share on other sites More sharing options...
dukebec2 Posted July 30, 2010 Author ID:292662 Share Posted July 30, 2010 I just did most of the things on that list, and will finish up the last few updates, installations, and security reconfigurations shortly. THANK YOU SO MUCH for your help with this! It truly was a life-saver, and I am most grateful. This forum and the help that you all provide strikes me as one of the most amazing and wonderful things on the Internet. I've been reading help forums from time to time since the Usenet days, and what you provide here is unparalleled. Thanks again.Best regards,Brian Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 30, 2010 ID:292696 Share Posted July 30, 2010 You're welcome, Brian. Thanks for the kind words. Take care. Link to post Share on other sites More sharing options...
Recommended Posts