View Full Version : tdss.sys removal help
grapedrink
2009-11-30, 17:16
spybot detected detected tdss.sys in my registry but can not fix the problem. i tried to find the files manually and delete them with reg edit but still couldnt delete. thank you for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:11 AM, on 11/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA5488] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5724] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [rioq] C:\PROGRA~1\COMMON~1\rioq\rioqm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rioq] C:\PROGRA~1\COMMON~1\rioq\rioqm.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141879598593
O17 - HKLM\System\CCS\Services\Tcpip\..\{26ABF79D-4A03-487D-8F42-DD7DA69FBF7F}: Domain = domain.invalid
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\rim.dll (file missing)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\oamanage.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 7605 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
grapedrink
2009-12-05, 17:38
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 11:28:49
Windows 5.1.2600 Service Pack 3
Running: 2o4ih13v.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgkiruob.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF783F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF783FBFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED6A80B0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xECA1635D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xECA16387]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xECA162F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xECA1631D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xECA163B1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xECA162C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xECA16371]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xECA16307]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xECA16349]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xECA163C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xECA1639B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP ECA1639F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP ECA162CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP ECA16361 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP ECA163CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP ECA163B5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP ECA16375 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP ECA1634D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP ECA16321 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP ECA162F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP ECA1638B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B88 7 Bytes JMP ECA1630B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7B29A60]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070064
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F6F
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007009C
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F32
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F43
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700E6
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070075
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700C1
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F91
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F37
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F52
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F79
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F8A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F0B
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F1C
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10089
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10078
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10EDF
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10EF0
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F72
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00F83
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0031
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FA6
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FC1
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0016
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\lsass.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0F7C
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0F8D
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F0FA8
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0065
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F002F
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F00B3
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F0F6B
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F0F50
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F00E9
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F00FA
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0096
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00CE
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E005B
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FCA
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E0F9E
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009E0036
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0FB9
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0058
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D0047
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FCD
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0022
.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F8A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF007F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F59
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00A1
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F37
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F1C
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0090
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00BC
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0078
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD005D
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FE3
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0038
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD001D
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 030E0FE5
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 030E0F5C
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 030E005B
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 030E004A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 030E0F8D
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 030E0FB9
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 030E0F2E
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 030E0076
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030E009B
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030E0EF8
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030E0EE7
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 030E0FA8
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 030E000A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 030E0F4B
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 030E0FCA
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [86]
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 030E0025
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 030E0F1D
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 030D0FC3
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 030D006C
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 030D0FD4
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 030D0FE5
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 030D005B
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 030D0000
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 030D004A
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 030D0039
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02FD0FB2
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 02FD003D
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02FD0011
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02FD0FE3
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02FD0022
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02FD0000
.text C:\WINDOWS\System32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022C0000
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0231000A
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02310FEF
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02310031
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0231004C
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0082
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F83
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B005B
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F9E
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0025
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B009F
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F57
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00C4
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F21
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00D5
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0040
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F72
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F3C
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0028
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0FAB
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FCD
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0068
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007A0FBC
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 88]
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0043
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790F92
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790FAD
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079001D
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FC8
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FE3
.text C:\WINDOWS\System32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00000
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A000B3
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00098
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00087
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00076
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F6B
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F7C
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F24
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F3F
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00F13
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A0005B
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00FA3
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00040
.text
grapedrink
2009-12-05, 17:39
C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00025
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F5A
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0025
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F94
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0051
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0040
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FB2
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0033
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FDE
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FCD
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F8F
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80084
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80073
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80062
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80036
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F61
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F72
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800C4
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F21
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800D5
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80047
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F800A9
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F8001B
.text C:\WINDOWS\Explorer.EXE[1408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F3C
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7001B
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F72
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F7000A
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F8D
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70F9E
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\Explorer.EXE[1408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F6007A
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F6005F
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60029
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F6000C
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F6003A
.text C:\WINDOWS\Explorer.EXE[1408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\Explorer.EXE[1408] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00F5000A
.text C:\WINDOWS\Explorer.EXE[1408] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\Explorer.EXE[1408] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\Explorer.EXE[1408] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F50FB7
.text C:\WINDOWS\Explorer.EXE[1408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015B0FEF
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80F57
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F72
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F83
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F94
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A8002C
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80067
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F1F
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80EE2
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A80EFD
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80096
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80FA5
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80000
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F3C
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80FC0
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80011
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F0E
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F97
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FDE
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930014
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FB9
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930040
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FB0
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FC1
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920027
.text C:\WINDOWS\System32\svchost.exe[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\System32\svchost.exe[1604] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[1604] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1604] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0091002C
.text C:\WINDOWS\System32\svchost.exe[1604] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00910047
.text C:\WINDOWS\System32\svchost.exe[1604] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01190FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01190F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01190F66
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01190040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01190F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01190FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01190F29
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01190F3A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011900A0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01190EFD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011900B1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01190F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0119000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01190065
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01190FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0119001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01190F0E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0118001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01180F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01180FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01180FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01180051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01180000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01180FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [38, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01180040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01170038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 0117001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01170FC8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01170FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01170FAD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0117000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01160FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] WinInet.dll!InternetOpenW 771BAF45 5 Bytes JMP 010F000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] WinInet.dll!InternetOpenA 771C5796 5 Bytes JMP 010F0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] WinInet.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 010F001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1740] WinInet.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 010F0FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F6F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0064
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F5E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0EFA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F0B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EDF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF007F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F1C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0FA4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FB5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FC6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0000
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F92
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0087
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0FAD
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0051
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C00BF
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F77
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00EB
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00DA
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F41
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0062
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0098
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C002C
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0011
.text C:\WINDOWS\System32\svchost.exe[2004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F5C
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0051
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B001B
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F94
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B002C
.text C:\WINDOWS\System32\svchost.exe[2004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FA5
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0033
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FA8
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FDE
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FB9
.text C:\WINDOWS\System32\svchost.exe[2004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A000C
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F81
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0065
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F70
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F0E
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F1F
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00C2
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B009B
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0031
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FA6
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0016
.text C:\WINDOWS\system32\wuauclt.exe[2820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FD1
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0022
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9B
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FAC
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrvdc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrvdc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSktcv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSweal.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurxx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSlrjo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSoxst.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSublr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSckhc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSwhkc.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSbjnb.log
---- EOF - GMER 1.0.15 ----
grapedrink
2009-12-05, 17:40
DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 19:44:09.89 on Thu 12/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.151 [GMT -5:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://home.peoplepc.com/search/
mSearch Page = hxxp://ie.search.msn.com
mSearchAssistant = hxxp://ie.search.msn.com
BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [SpybotDeletingA7067] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC8937] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRun: [rioq] c:\progra~1\common~1\rioq\rioqm.exe
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141879598593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Group Policy - c:\windows\system32\rim.dll
Notify: igfxcui - igfxsrvc.dll
Notify: ModuleUsage - c:\windows\system32\oamanage.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\kexitmrp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-6 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-12-15 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R3 MauiIIIG;Emuzed Maui III-G Device;c:\windows\system32\drivers\MauiIIIG.sys [2006-3-8 175232]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-15 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-15 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-15 168776]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S0 lrwpwpvq;lrwpwpvq;c:\windows\system32\drivers\wnjizg.sys --> c:\windows\system32\drivers\wnjizg.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-8-18 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-8-18 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-8-18 40832]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-8-18 21632]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S3 RTLWUSB;802.11g USB 2.0 WLAN Dongle;c:\windows\system32\drivers\RTL8187.sys [2008-11-28 169472]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]
=============== Created Last 30 ================
2009-12-02 04:36:28 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 16:08:14 0 d-----w- c:\program files\Trend Micro
2009-11-25 04:17:45 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-25 04:11:54 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-25 04:11:36 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-11-25 04:10:28 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-11-18 05:20:39 0 d-----w- c:\program files\Exterminate It!
2009-11-18 02:40:51 0 ----a-w- C:\backup.reg
2009-11-18 02:40:49 574 ----a-w- C:\cleanup.bat
2009-11-18 02:40:49 135168 ----a-w- C:\zip.exe
2009-11-16 17:28:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-16 17:27:10 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-16 17:27:08 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-11-16 17:25:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-15 17:39:43 4932976 ----a-w- c:\windows\{00000001-00000000-00000001-00001102-00000004-20041102}.BAK
==================== Find3M ====================
2009-11-18 05:10:49 124 ----a-w- c:\program files\fkvoegrc.txt
2009-11-15 00:02:43 15688 ----a-w- c:\windows\system32\lsdelete.exe
============= FINISH: 19:45:29.45 ===============
Hi,
Please post attach.txt contents in next reply too.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.