1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Can not get rid of System Tools Virus!

Discussion in 'Malware and Virus Removal Archive' started by wksda623, 2010/12/26.

Page 1 of 4
  1. 2010/12/26
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    [Resolved] Can not get rid of System Tools Virus!

    This virus will NOT let me do any downloads at all. All software on the computer now will not work. I had Malware bytes installed but will not work now and tried to download a newer version with NO success. Viruse blocks all downloads that I try to do.


    David
     
    wksda623,
    #1
  2. 2010/12/26
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    I finally got rid of the viruse!! It is finally resolved.

    David
     
    wksda623,
    #2


  3. to hide this advert.

  4. 2010/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you still need your computer to be checked?
     
    broni,
    #3
  5. 2010/12/26
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    Yes, that might be a good idea!

    David
     
    wksda623,
    #4
  6. 2010/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, read this post, then post the requested log(s).

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
    broni,
    #5
  7. 2010/12/27
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    I will perform a 100 percent virus scan tonight and will start with your instructions. This is a old computer and slow, so it will take awhile.

    David
     
    wksda623,
    #6
  8. 2010/12/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok.........
     
    broni,
    #7
  9. 2010/12/28
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    Do I need to reinstall Malware to make sure I have a clean version or can I use the one that is already on the computer once I do an update??

    I did do the virus scan last night and no viruses according to McAfee.
    David
     
    wksda623,
    #8
  10. 2010/12/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you're referring to Malwarebytes, run it, click on "Update" tab and see, if there are any updates available.
     
    broni,
    #9
  11. 2010/12/28
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0

    Ok, will do.
     
    wksda623,
    #10
  12. 2010/12/28
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    I did update Malwarebytes and None on objects infected. Now, to the next step.

    David
     
    wksda623,
    #11
  13. 2010/12/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok...
     
    broni,
    #12
  14. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x038001fd

    Kernel Drivers (total 129):
    0x804D7000 \WINNT\system32\ntkrnlpa.exe
    0x806D0000 \WINNT\system32\hal.dll
    0xBA5A8000 \WINNT\system32\KDCOM.DLL
    0xBA4B8000 \WINNT\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINNT\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINNT\System32\DRIVERS\PCIIDEX.SYS
    0xBA5AC000 aliide.sys
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AE000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0D8000 m5289.sys
    0xB9EF3000 \WINNT\System32\DRIVERS\SCSIPORT.SYS
    0xBA0E8000 disk.sys
    0xBA0F8000 \WINNT\System32\DRIVERS\CLASSPNP.SYS
    0xB9ED3000 fltmgr.sys
    0xB9EC1000 sr.sys
    0xB9E64000 mfehidk.sys
    0xBA108000 PxHelp20.sys
    0xB9E4D000 KSecDD.sys
    0xB9DC0000 Ntfs.sys
    0xB9D93000 NDIS.sys
    0xB9D06000 timntr.sys
    0xBA118000 ULiAGP.sys
    0xB9C29000 tdrpm258.sys
     
    wksda623,
    #13
  15. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-29 20:28:01
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD1600JB-00GVA0 rev.08.02D08
    Running: gmer.exe; Driver: C:\DOCUME~1\WEELSL~1\LOCALS~1\Temp\kwlyypoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A045338 ZwConnectPort

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E970E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E970F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E97120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E97176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E970CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E970A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E970B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E9710A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9714C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E97136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E971A0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9718C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E97160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9E97164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B9E9717A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B9E97190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP B9E97150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B9E970A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B9E970BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP B9E971A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B9E9713A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B9E9710E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B9E970E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B9E970F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B9E97124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B9E970D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINNT\system32\svchost.exe[240] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50000
    .text C:\WINNT\system32\svchost.exe[240] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50022
    .text C:\WINNT\system32\svchost.exe[240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50011
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F6B
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F86
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0054
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0043
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE001E
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE007B
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F33
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0EF6
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F07
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EE5
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0F97
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F50
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FB2
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FC3
    .text C:\WINNT\system32\svchost.exe[240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F18
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0025
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0047
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0014
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F94
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0036
    .text C:\WINNT\system32\svchost.exe[240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FAF
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F84
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0F95
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FC1
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FB0
    .text C:\WINNT\system32\svchost.exe[240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FD2
    .text C:\WINNT\system32\svchost.exe[240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FE5
    .text C:\WINNT\system32\svchost.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0090000A
    .text C:\WINNT\system32\svchost.exe[1232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900025
    .text C:\WINNT\system32\svchost.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FEF
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FE5
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F52
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0047
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0036
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0025
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FA8
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0075
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F2D
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00B2
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00A1
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0EFE
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0F83
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0000
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0058
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FB9
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FCA
    .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0090
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FD4
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F8D
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0025
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB000A
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0040
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F9E
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
    .text C:\WINNT\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FB9
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930FA1
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 0093002C
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FCD
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FB2
    .text C:\WINNT\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930011
    .text C:\WINNT\system32\svchost.exe[1232] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00910FEF
    .text C:\WINNT\system32\svchost.exe[1232] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0091000A
    .text C:\WINNT\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0091001B
    .text C:\WINNT\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00910040
    .text C:\WINNT\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
    .text C:\WINNT\system32\services.exe[1304] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
    .text C:\WINNT\system32\services.exe[1304] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FDB
    .text C:\WINNT\system32\services.exe[1304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040011
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C7006C
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F77
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F92
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70FB9
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FD4
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C700A4
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C7007D
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C700DA
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F41
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700EB
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C7005B
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70FEF
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F5C
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70036
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70025
    .text C:\WINNT\system32\services.exe[1304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C700B5
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FA8
     
    wksda623,
    #14
  16. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F6B
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FB9
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F7C
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F97
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
    .text C:\WINNT\system32\services.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070014
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA3
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060038
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0006000C
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006001D
    .text C:\WINNT\system32\services.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
    .text C:\WINNT\system32\services.exe[1304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
    .text C:\WINNT\system32\lsass.exe[1316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
    .text C:\WINNT\system32\lsass.exe[1316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC000A
    .text C:\WINNT\system32\lsass.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FDE
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FE5
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90069
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F74
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F9B
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90058
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9003D
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E9009A
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F48
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900BF
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F26
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F15
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FB6
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90000
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90F59
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90022
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90011
    .text C:\WINNT\system32\lsass.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F37
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FB9
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0054
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FCA
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F97
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FA8
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
    .text C:\WINNT\system32\lsass.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF002F
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FBC
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0047
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0011
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0036
    .text C:\WINNT\system32\lsass.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
    .text C:\WINNT\system32\lsass.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
    .text C:\WINNT\system32\svchost.exe[1472] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60000
    .text C:\WINNT\system32\svchost.exe[1472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F6001B
    .text C:\WINNT\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60FE5
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA0000
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FA0F80
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FA0075
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA0058
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FA003D
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FA001B
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FA00C8
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FA00B7
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA0F4A
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA0F65
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FA0F39
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FA002C
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FA0FDB
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FA009A
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FA0FA5
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FA0FC0
    .text C:\WINNT\system32\svchost.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FA00D9
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FD4
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90F7C
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FE5
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F9001B
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90F97
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F90FA8
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [19, 89]
    .text C:\WINNT\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90FB9
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80042
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80031
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80FC1
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80FEF
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80016
    .text C:\WINNT\system32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80FD2
    .text C:\WINNT\system32\svchost.exe[1472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70000
    .text C:\WINNT\system32\svchost.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0063000A
    .text C:\WINNT\system32\svchost.exe[1488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630025
    .text C:\WINNT\system32\svchost.exe[1488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630FEF
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00810FEF
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00810054
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810F5F
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810F70
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810F8D
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00810025
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0081007B
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00810F33
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00810F07
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008100A0
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008100BB
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00810F9E
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00810000
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00810F44
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00810FB9
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00810FCA
    .text C:\WINNT\system32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00810F18
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660036
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006600AC
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660025
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660000
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660087
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066006C
    .text C:\WINNT\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0066005B
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0065004A
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650025
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FC6
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FB5
    .text C:\WINNT\system32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FE3
    .text C:\WINNT\system32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
    .text C:\WINNT\system32\svchost.exe[1536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FEF
    .text C:\WINNT\system32\svchost.exe[1536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0FB9
    .text C:\WINNT\system32\svchost.exe[1536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0FCA
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30FE5
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30F81
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30076
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C3005B
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C3004A
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30025
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F55
     
    wksda623,
    #15
  17. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C3009D
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C300B8
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F15
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30F04
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30F9E
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30000
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30F66
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FB9
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30FCA
    .text C:\WINNT\system32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F30
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20036
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20FA5
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C2001B
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C2000A
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20062
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FEF
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20FC0
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}
    .text C:\WINNT\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20047
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10049
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10FC8
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C1001D
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C1002E
    .text C:\WINNT\system32\svchost.exe[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C1000C
    .text C:\WINNT\system32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C0000A
    .text C:\WINNT\System32\svchost.exe[1716] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0566000A
    .text C:\WINNT\System32\svchost.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05660FDE
    .text C:\WINNT\System32\svchost.exe[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05660FEF
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 029A0FEF
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 029A0076
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 029A0F81
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 029A005B
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 029A0F9E
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 029A0025
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 029A0F4B
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029A0F5C
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 029A00C9
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029A0F30
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 029A00EE
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 029A0040
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 029A000A
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 029A0087
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 029A0FB9
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 029A0FD4
    .text C:\WINNT\System32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 029A00AE
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02990FB9
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02990F9E
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02990FD4
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02990000
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0299005B
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02990FEF
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02990040
    .text C:\WINNT\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02990025
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 021D0042
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 021D0FB7
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 021D001D
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 021D0FEF
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 021D0FD2
    .text C:\WINNT\System32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 021D0000
    .text C:\WINNT\System32\svchost.exe[1716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021C0000
    .text C:\WINNT\System32\svchost.exe[1716] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 021B0FEF
    .text C:\WINNT\System32\svchost.exe[1716] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 021B0FD4
    .text C:\WINNT\System32\svchost.exe[1716] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 021B0FC3
    .text C:\WINNT\System32\svchost.exe[1716] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 021B0FB2
    .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINNT\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00750000
    .text C:\WINNT\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00750025
    .text C:\WINNT\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00750FEF
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0FEF
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0080
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D006F
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D005E
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0043
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D0FB2
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D00AE
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D0F66
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D0F41
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D00D0
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D00EB
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D0FA1
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D0FDE
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0091
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0FC3
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D0014
    .text C:\WINNT\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D00BF
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780FCA
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0078003D
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FDB
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780011
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780F80
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0078002C
    .text C:\WINNT\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FA5
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0077003D
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770022
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FCD
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FEF
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FB2
    .text C:\WINNT\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FDE
    .text C:\WINNT\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
    .text C:\WINNT\system32\svchost.exe[2220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60FEF
    .text C:\WINNT\system32\svchost.exe[2220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FCA
    .text C:\WINNT\system32\svchost.exe[2220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F5C
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F6D
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0047
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F94
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FAF
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F30
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0082
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00A7
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F04
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00B8
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0036
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F4B
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD001B
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FCA
    .text C:\WINNT\system32\svchost.exe[2220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F15
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC005B
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0FAF
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0040
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC001B
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FC0
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FE5
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
    .text C:\WINNT\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC006C
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB008B
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0070
     
    wksda623,
    #16
  18. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0044
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0055
    .text C:\WINNT\system32\svchost.exe[2220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0029
    .text C:\WINNT\system32\wuauclt.exe[2788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
    .text C:\WINNT\system32\wuauclt.exe[2788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090022
    .text C:\WINNT\system32\wuauclt.exe[2788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090011
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C000A
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0065
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0054
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F86
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F97
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC3
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F27
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F44
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00B6
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00A5
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F02
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FA8
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FEF
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F55
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FDE
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C002F
    .text C:\WINNT\system32\wuauclt.exe[2788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0094
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FAD
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0038
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD2
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027
    .text C:\WINNT\system32\wuauclt.exe[2788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B000C
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C001B
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0058
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C000A
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FDE
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0047
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FA5
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
    .text C:\WINNT\system32\wuauclt.exe[2788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C002C
    .text C:\WINNT\Explorer.EXE[2852] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01680FEF
    .text C:\WINNT\Explorer.EXE[2852] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01680FD4
    .text C:\WINNT\Explorer.EXE[2852] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0168000A
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01710000
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01710056
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01710F6B
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01710F7C
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01710F97
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01710FC3
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0171007D
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01710F2B
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01710EF5
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01710F10
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017100B3
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01710FB2
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0171001B
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01710F46
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01710FD4
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01710FE5
    .text C:\WINNT\Explorer.EXE[2852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0171008E
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01700011
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01700062
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01700FC0
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01700000
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01700FA5
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01700FE5
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01700047
    .text C:\WINNT\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0170002C
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016F0FA6
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!system 77C293C7 5 Bytes JMP 016F0FC1
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016F0FD2
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016F0FEF
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016F0031
    .text C:\WINNT\Explorer.EXE[2852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016F000C
    .text C:\WINNT\Explorer.EXE[2852] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01690FEF
    .text C:\WINNT\Explorer.EXE[2852] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0169000A
    .text C:\WINNT\Explorer.EXE[2852] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01690FDE
    .text C:\WINNT\Explorer.EXE[2852] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 01690FC3
    .text C:\WINNT\Explorer.EXE[2852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01DB0000

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[520] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[520] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[2852] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c41e2382b
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000c41e2382b (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----
     
    wksda623,
    #17
  19. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    How do I disable any script blocking protection??

    David
     
    wksda623,
    #18
  20. 2010/12/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you use Spybot, or Windows Defender?

    Also, MBRCheck log is incomplete. Please, repost.
     
    broni,
    #19
  21. 2010/12/29
    wksda623

    wksda623 Inactive Thread Starter

    Joined:
    2009/01/21
    Messages:
    88
    Likes Received:
    0
    I use Microsoft Security Essentials now. Will repost MBR check.

    David
     
    wksda623,
    #20
Page 1 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...