-
nishikamae
Logfile of HijackThis v1.99.1
Scan saved at 14:37:11, on 16/10/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SmartAdviser\EZAD\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EzTruehitNews] "C:\Program Files\SmartAdviser\EZAD\svchost.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\Config\load.exe] C:\WINDOWS\Config\load.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/nProtec...iGameStart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://www.file2you.net/applet.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4484DB0A-B788-4018-A8DF-6021AF33C507}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
-
Hi
I have to say that your situation doesn't look good.
Some rootkits files have come back.
We can of course continue cleaning process if you like.
-
nishikamae
OH.. How bad is it . If i continue cleaning it's will cause everything worse
-
Hi
No but I can't guarantee that we get you clean.
If you like to continue, we must do further research.
-
nishikamae
I would like 2 continue cleanning . Thank You For Your Help Very Very Much
-
Hi
* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
-
nishikamae
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-16 21:49:19
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
SSDT d347bus.sys ZwClose
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwCreateFile
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwOpenFile
SSDT d347bus.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile
SSDT d347bus.sys ZwSetSystemPowerState
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
---- Kernel code sections - GMER 1.0.13 ----
.text ntoskrnl.exe!ZwYieldExecution 80509014 7 Bytes JMP B8DD988E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805793A1 7 Bytes JMP B8DD9864 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057D3C4 5 Bytes JMP B8DD9850 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057E2A3 5 Bytes JMP B8DD98BA \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E71B 7 Bytes JMP B8DD98A4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 8057FF13 7 Bytes JMP B8DD9826 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 8058C399 5 Bytes JMP B8DD983C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 805969F3 7 Bytes JMP B8DD9810 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80598177 7 Bytes JMP B8DD97E4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805C0BF0 5 Bytes JMP B8DD987A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8065410B 7 Bytes JMP B8DD97FA \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.13 ----
.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A80F77
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80F92
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A8006C
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80051
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A800C9
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A800A2
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F55
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A80F66
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00A80109
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00A8000A
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00A80091
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00A800E4
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A70FDE
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A70F8D
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A70025
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[176] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A7004A
.text C:\Program Files\MSN Messenger\usnsvc.exe[504] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00650429
.text C:\WINDOWS\system32\winlogon.exe[576] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004B0429
.text C:\WINDOWS\system32\winlogon.exe[576] WS2_32.dll!connect 71AB406A 5 Bytes JMP 004B0536
.text C:\WINDOWS\system32\winlogon.exe[576] WS2_32.dll!send 71AB428A 5 Bytes JMP 004B05E0
.text C:\WINDOWS\system32\winlogon.exe[576] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 004B0553
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 005B0429
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F70F68
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F7005D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F70F8D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F7007A
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F70F32
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!
-
nishikamae
CreateProcessW 7C802332 5 Bytes JMP 00F700BA
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F7009F
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00F700CB
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00F7002F
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00F70F4D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00F70F17
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F6007A
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F60069
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F60058
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!connect 71AB406A 5 Bytes JMP 005B0536
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!send 71AB428A 5 Bytes JMP 005B05E0
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 005B0553
.text C:\WINDOWS\system32\services.exe[628] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\services.exe[628] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\services.exe[628] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\services.exe[628] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00F40FB2
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EB00BC
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EB00A1
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EB0084
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EB0073
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EB0F8F
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EB00D7
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EB00E8
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EB0F4F
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00EB0F3E
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00EB0058
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00EB0FAC
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00EB0F6A
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DF0FD4
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DF006C
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DF0051
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DF0040
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DF000A
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DF0FB9
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!send
71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\system32\lsass.exe[640] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\lsass.exe[640] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00DD0FDE
.text C:\WINDOWS\system32\lsass.exe[640] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\lsass.exe[640] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B30062
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B30F6D
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B30047
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B30F94
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B30FAF
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B30089
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B30F41
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B30F26
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B300B5
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00B30F01
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00B30F52
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00B30FCA
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00B300A4
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B20040
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B200AC
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B2002F
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B2009B
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B20076
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B20065
-
nishikamae
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!send 71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\system32\svchost.exe[808] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[808] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00B00FDB
.text C:\WINDOWS\system32\svchost.exe[808] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00B00FCA
.text C:\WINDOWS\system32\svchost.exe[808] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CB0F66
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CB0F77
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CB009D
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CB0F55
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CB00C2
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CB0F29
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00CB0F0E
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00CB0076
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00CB0F44
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CA006C
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CA0FAF
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CA0051
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!send 71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\system32\svchost.exe[864] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[864] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[864] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[864] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00C80FD4
.text C:\Program Files\Windows Defender\MsMpEng.exe[940] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00580429
.text C:\Program Files\Windows Defender\MsMpEng.exe[940] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00580536
.text C:\Program Files\Windows Defender\MsMpEng.exe[940] WS2_32.dll!send 71AB428A 5 Bytes JMP 005805E0
.text C:\Program Files\Windows Defender\MsMpEng.exe[940] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00580553
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01EF0000
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01EF0F52
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01EF0F6D
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01EF0051
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01EF0F94
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01EF0036
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01EF007F
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01EF0F37
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01EF009A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01EF0F0B
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 01EF00AB
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 01EF0FAF
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 01EF0011
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 01EF0062
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 01EF0FC0
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 01EF0FDB
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 01EF0F1C
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01EE0022
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01EE0047
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01EE0011
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01EE0000
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01EE0F8A
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01EE0F9B
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01EE0FEF
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01EE0FB6
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01CF000A
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!send 71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\System32\svchost.exe[1016] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01D00FEF
.text C:\WINDOWS\System32\svchost.exe[1016] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01D00FD4
.text C:\WINDOWS\System32\svchost.exe[1016] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01D00014
.text C:\WINDOWS\System32\svchost.exe[1016] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01D00FC3
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AD0F7C
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AD007B
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AD0F97
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AD004A
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AD0FB2
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AD00A9
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AD0098
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AD0F32
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AD00CB
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00AD00E6
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00AD0039
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00AD0F61
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00AD0FC3
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00AD0FDE
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00AD00BA
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AC0036
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AC0F83
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!send 71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\system32\svchost.exe[1140] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\system32\svchost.exe[1140] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00AA0FC3
.text C:\WINDOWS\system32\svchost.exe[1140] wininet.dll!InternetOpenUrlW
-
nishikamae
77215A51 5 Bytes JMP 00AA0FA8
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B0429
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B60F4E
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B60F5F
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B60F7C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B60F8D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B60F2C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B60F3D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B600AA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B60099
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00B600BB
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes J
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00B60025
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 00B60F1B
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40036
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A4008E
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A4007D
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A4006C
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40051
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!connect 71AB406A 5 Bytes JMP 006B0536
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!send 71AB428A 5 Bytes JMP 006B05E0
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 006B0553
.text C:\WINDOWS\system32\svchost.exe[1212] wininet.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1212] wininet.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1212] wininet.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00A20FC3
.text C:\WINDOWS\system32\svchost.exe[1212] wininet.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00A20FA8
.text C:\WINDOWS\system32\spoolsv.exe[1332] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00930429
.text C:\WINDOWS\system32\spoolsv.exe[1332] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00930536
.text C:\WINDOWS\system32\spoolsv.exe[1332] WS2_32.dll!send 71AB428A 5 Bytes JMP 009305E0
.text C:\WINDOWS\system32\spoolsv.exe[1332] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00930553
.text C:\Documents and Settings\user\Desktop\gmer.exe[1344] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A00429
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003C0429
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00250F74
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00250073
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250062
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00250F43
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250095
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002500D2
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002500B7
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!GetProcAddress 7C80ADC0 5 Bytes JMP 00250F28
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!LoadLibraryW 7C80AE6B 5 Bytes JMP 00250051
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateFileW 7C810780 5 Bytes JMP 00250014
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreatePipe 7C81D7AF 5 Bytes JMP 00250084
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F034 5 Bytes JMP 00250040
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!CreateNamedPipeA 7C85FE74 5 Bytes JMP 0025002F
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] kernel32.dll!WinExec 7C8615B5 5 Bytes JMP 002500A6
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0034006C
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0034002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0034001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00340051
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340000
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00340FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!DialogBoxParamW 77D5737A 5 Bytes JMP 00C55415 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!DialogBoxIndirectParamW 77D6204B 5 Bytes JMP 00DEC510 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!MessageBoxIndirectA 77D6A062 5 Bytes JMP 00DEC491 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!DialogBoxParamA 77D6B124 5 Bytes JMP 00DEC4D5 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!MessageBoxExW 77D80540 5 Bytes JMP 00DEC3D9 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!MessageBoxExA 77D80564 5 Bytes JMP 00DEC413 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!DialogBoxIndirectParamA 77D86CB5 5 Bytes JMP 00DEC54B C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] USER32.dll!MessageBoxIndirectW 77D9609B 5 Bytes JMP 00DEC44D C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01F10000
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01F10FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01F10FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01F10FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 024E0000
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ws2_32.dll!connect 71AB406A 5 Bytes JMP 003C0536
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ws2_32.dll!send 71AB428A 5 Bytes JMP 003C05E0
.text C:\Program Files\Internet Explorer\iexplore.exe[1368] ws2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003C0553
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1440] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00680429
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1440] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00680536
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1440] WS2_32.dll!send 71AB428A 5 Bytes JMP 006805E0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1440] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00680553 MP 00B6005E