Techmonkeys.co.uk / Security / Archived HJT Logs / HTJ Log

Thread Closed 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTJ Log
09-05-2010, 10:47 PM
Post: #1
wylantar Offline
Woolly Monkey
 		Posts: 3
Joined: May 2010
Reputation: 0
HTJ Log
Hey guys, been having some annoying redirecting issues when I click on search result links. Here's the log. Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:45:21 PM, on 5/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WN111v2\jswtrayutil.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\AARONG~1\LOCALS~1\Temp\Nt0.exe
O4 - Global Startup: NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3895457-36D6-44EB-A9C3-234825A1CA68}: NameServer = 93.188.164.99,93.188.161.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A1D08F-6461-42C3-B309-95B0375B229B}: NameServer = 93.188.164.99,93.188.161.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.99,93.188.161.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.99,93.188.161.133
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8428 bytes
Send this user an email Find all posts by this user
10-05-2010, 02:42 AM (This post was last modified: 10-05-2010 02:42 AM by Kenny94.)
Post: #2
Kenny94 Offline
Moderator
*****
 		Posts: 2,005
Joined: Jun 2009
Reputation: 1
RE: HTJ Log
Hi And Welcome to Techmonkeys.co.uk!

DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.
  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not reboot your PC
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.


Next


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    [Image: gmer_zip.gif]
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      [Image: GMER_thumb.jpg]
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOKIT entries
Please copy and paste the report into your Post.
Unanswered threads for 4 days will no longer be Helped

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here [Image: paypal.gif]
Send this user an email Visit this user's website Find all posts by this user
10-05-2010, 03:41 AM
Post: #3
wylantar Offline
Woolly Monkey
 		Posts: 3
Joined: May 2010
Reputation: 0
RE: HTJ Log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-09 21:38:51
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\AARONG~1\LOCALS~1\Temp\axtdrpog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9CEFCA2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9CEFD39]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9CEFC78]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9CEFC8C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9CEFD4D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9CEFD79]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9CEFDE7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9CEFDD1]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9CEFDFD]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9CEFCE2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9CEFD25]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9CEFC14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9CEFC28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9CEFCB6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9CEFE51]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9CEFDBB]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9CEFDA5]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9CEFD63]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9CEFE3D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9CEFE29]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9CEFC64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9CEFC50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9CEFD8F]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9CEFD11]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9CEFE13]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9CEFCF8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9CEFCCC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504ABC 7 Bytes JMP B9CEFCD0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F76 5 Bytes JMP B9CEFCA6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E3E 7 Bytes JMP B9CEFCE6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C4C 5 Bytes JMP B9CEFCFC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7222 7 Bytes JMP B9CEFCBA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP B9CEFC18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP B9CEFC2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBAA 5 Bytes JMP B9CEFC54 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP B9CEFC90 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF4C 5 Bytes JMP B9CEFC7C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D0456 5 Bytes JMP B9CEFC68 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP B9CEFD15 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80620664 7 Bytes JMP B9CEFDA9 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806209B2 5 Bytes JMP B9CEFE2D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C6A 7 Bytes JMP B9CEFD93 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620F32 7 Bytes JMP B9CEFE17 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062178C 7 Bytes JMP B9CEFDBF mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP B9CEFD67 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806225BE 5 Bytes JMP B9CEFD3D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP B9CEFD51 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP B9CEFD7D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622E0A 7 Bytes JMP B9CEFDEB mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623074 7 Bytes JMP B9CEFDD5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP B9CEFD29 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80623CA0 7 Bytes JMP B9CEFE55 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 80623F60 7 Bytes JMP B9CEFE01 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806241C6 5 Bytes JMP B9CEFE41 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\iastor.sys entry point in ".rsrc" section [0xB9F08500]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB87A5000, 0x235297, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xB6104760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00790F9B
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00790090
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0079007F
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00790062
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007900BC
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007900AB
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00790F59
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007900F2
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 0079010D
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00790FC0
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00790014
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00790F8A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00790036
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00790025
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007900D7
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0065002F
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640053
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640042
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640027
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FC8
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FE3
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0062000A
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01630FEF
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01630F70
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01630065
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0163004A
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01630039
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01630FA1
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0163008A
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01630F4E
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01630F02
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01630F1D
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 016300B6
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0163001E
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01630FDE
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01630F5F
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01630FB2
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01630FCD
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0163009B
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015D0F95
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!system 77C293C7 5 Bytes JMP 015D0FA6
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015D0FC8
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015D0FEF
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015D0FB7
.text C:\WINDOWS\Explorer.EXE[560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015D000C
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01620FCA
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01620F7C
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01620011
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01620000
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 01620F8D
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 01620FEF
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 01620F9E
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [82, 89]
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 01620FB9
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 015A0FDE
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 015A0FEF
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 015A0016
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 015A0027
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01590000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[636] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[636] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F81
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070098
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F0B
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F26
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1180] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F92
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F6008A
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F60079
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F60068
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F60057
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F60FAB
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F60F5D
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F60F6E
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F600CA
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F60F3B
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F60F20
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F60032
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F600A5
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F60FBC
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F60FCD
.text C:\WINDOWS\system32\lsass.exe[1192] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F60F4C
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FDB
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50FA5
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F5002C
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00F50FC0
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\lsass.exe[1192] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00F50047
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F4004C
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F4003B
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40016
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40FC1
.text C:\WINDOWS\system32\lsass.exe[1192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FD2
.text C:\WINDOWS\system32\lsass.exe[1192] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D300C7
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D300AC
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D3009B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D3008A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D300E9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D300D8
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D30129
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D30F86
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D30F75
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D30065
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D30FB7
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D3004A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D30104
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20036
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00D2007D
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00D20062
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D1003A
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D1000C
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10055
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1001D
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A9008E
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A9007D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A90FA3
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A90FC0
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A90FDB
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A90F52
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A90F6D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A90F26
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A900BF
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A900E4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A90062
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A90F7E
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A9003D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A9002C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A90F41
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80065
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A8000A
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A8004A
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A80FA8
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7003B
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FA6
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FD2
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FC1
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FE3
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02420000
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02420F83
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02420F9E
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02420078
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02420051
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02420FC0
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024200B5
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024200A4
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024200EB
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02420F52
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02420F37
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02420FAF
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0242001B
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02420093
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02420036
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02420FE5
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 024200C6
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 021C0FE5
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 021C0FAF
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 021C002C
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 021C0011
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 021C0FC0
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 021C0000
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 021C0062
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 021C0051
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 021B0FA8
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 021B0FB9
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 021B0FD4
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 021B0FEF
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 021B0029
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 021B000C
.text C:\WINDOWS\System32\svchost.exe[1476] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02190FEF
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 021A0FEF
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 021A0000
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 021A001B
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 021A0036
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00790F66
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0079005B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00790F8D
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0079004A
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00790FA8
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00790F13
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00790F3A
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00790EDD
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00790076
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00790091
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00790039
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00790F4B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00790FB9
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00790EF8
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0078002F
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780076
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00780065
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00780FCD
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00780054
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770FB9
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 0077004E
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770022
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770033
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FDE
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0071005B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00710F70
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00710F8D
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00710FA8
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00710FCA
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00710F24
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00710F4B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00710F09
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007100A2
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007100BD
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00710FB9
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00710FDB
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00710076
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00710036
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00710011
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!WinExec 7C86158D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00710091
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700025
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0070004A
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700FD4
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00700F8D
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00700F9E
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [90, 88]
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00700FAF
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0F75
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FB5
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FE3
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FA4
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FD2
.text C:\WINDOWS\system32\svchost.exe[1660] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B005D
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F26
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0F15
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B0F41
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290027
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290F9C
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FAD
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FD2
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0073
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002A0FB6
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 002A004E
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0097007B
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00970F7C
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00970F8D
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00970040
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00970FAF
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00970F44
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0097008C
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009700DD
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009700C2
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00970F1F
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00970F9E
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00970FE5
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00970F6B
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00970FCA
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[2984] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009700A7
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960022
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960F79
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960011
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00960F8A
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00960FA5
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [B6, 88] {MOV DH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00960FB6
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950031
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00950FA6
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950016
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00950FE3
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FC1
.text C:\WINDOWS\system32\svchost.exe[2984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950FD2
.text C:\WINDOWS\system32\svchost.exe[2984] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0029009A
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00290089
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00290FAF
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00290062
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00290036
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002900BF
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00290F79
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002900F5
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00290F5C
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00290F41
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00290051
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00290FE5
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00290F8A
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\dllhost.exe[3068] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002900D0
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00270FA3
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!system 77C293C7 5 Bytes JMP 0027002E
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00270FD2
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00270FEF
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0027001D
.text C:\WINDOWS\system32\dllhost.exe[3068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0027000C
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00280FD4
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0028006C
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00280025
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0028000A
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00280FB9
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 0028005B
.text C:\WINDOWS\system32\dllhost.exe[3068] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00280040
.text C:\WINDOWS\system32\dllhost.exe[3068] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00790000
.text C:\Program Files\Mozilla Firefox\firefox.exe[3696] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\iastor \Device\Ide\iaStor0 [B9E77018] iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 [B9E77018] iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 96431C8A

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Send this user an email Find all posts by this user
10-05-2010, 03:53 AM
Post: #4
Kenny94 Offline
Moderator
*****
 		Posts: 2,005
Joined: Jun 2009
Reputation: 1
RE: HTJ Log
Your PC has a rootkit that has replaced your ide driver iastor.sys file with malware. Lets see if we can replace the driver with a clean copy.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------


  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [Image: cfRC_screen_1.png]


    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.

    [Image: cfRC_screen_2.png]

    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
Unanswered threads for 4 days will no longer be Helped

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here [Image: paypal.gif]
Send this user an email Visit this user's website Find all posts by this user
10-05-2010, 04:09 AM (This post was last modified: 10-05-2010 04:15 AM by wylantar.)
Post: #5
wylantar Offline
Woolly Monkey
 		Posts: 3
Joined: May 2010
Reputation: 0
RE: HTJ Log
So I tried to download Combofix and somehow got a trojan instead.

McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Artemis!39DBF29FC3A9 (Trojan), Artemis!39DBF29FC3A9 (Trojan)
Location: C:\Documents and Settings\wylantar\Desktop\ComboFix.exe.part
Send this user an email Find all posts by this user
10-05-2010, 04:42 AM
Post: #6
Kenny94 Offline
Moderator
*****
 		Posts: 2,005
Joined: Jun 2009
Reputation: 1
RE: HTJ Log
You need to disable McAfee before you download combofix. Combofix is a tool we need for the TDSS rootkit. Help on disabling your protection programs at:

http://www.bleepingcomputer.com/forums/topic114351.html
Unanswered threads for 4 days will no longer be Helped

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here [Image: paypal.gif]
Send this user an email Visit this user's website Find all posts by this user
12-05-2010, 03:41 PM
Post: #7
Kenny94 Offline
Moderator
*****
 		Posts: 2,005
Joined: Jun 2009
Reputation: 1
RE: HTJ Log
You still need help?
Unanswered threads for 4 days will no longer be Helped

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here [Image: paypal.gif]
Send this user an email Visit this user's website Find all posts by this user
14-05-2010, 02:23 PM
Post: #8
Kenny94 Offline
Moderator
*****
 		Posts: 2,005
Joined: Jun 2009
Reputation: 1
RE: HTJ Log
Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Unanswered threads for 4 days will no longer be Helped

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here [Image: paypal.gif]
Send this user an email Visit this user's website Find all posts by this user
Thread Closed 


Forum Jump:


Contact Us | Techmonkeys.co.uk | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication