Guest is off and only my user is listed.
GMER 1.0.12.12086 -
http://www.gmer.net
Rootkit scan 2007-03-17 09:55:56
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP B4F2E5BF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP B4F2E4EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP B4F2E4FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP B4F2E57F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP B4F2E5EA \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP B4F2E555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP B4F2E53F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP B4F2E513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B0AA4 5 Bytes JMP B4F2E5AB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP B4F2E529 \SystemRoot\system32\drivers\mfehidk.sys
.text tcpip.sys!IPTransmit + 10BC B7321CFA 6 Bytes CALL F7435E50 Teefer.sys
.text tcpip.sys!IPTransmit + 2810 B732344E 6 Bytes CALL F7435E50 Teefer.sys
.text tcpip.sys!ARPRcv + 506D B73284E0 6 Bytes CALL F7435E50 Teefer.sys
.text wanarp.sys F76BC3FD 4 Bytes CALL F7435FA0 Teefer.sys
.text wanarp.sys F76BC402 2 Bytes [ 90, 90 ]
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C5004A
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C50F55
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C50F66
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C50F83
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C50F2E
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C50076
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C500AC
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C5009B
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C500C7
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C50FDB
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C50065
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C50F1D
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C4002C
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C40FAC
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C40069
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C40058
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C4003D
.text C:\WINDOWS\system32\svchost.exe[428] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FB0F5E
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FB0F6F
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FB0F94
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FB0FA5
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FB0F32
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FB0F43
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FB0F17
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FB00B0
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FB0F06
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FB006E
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FB0095
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009A0047
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009A0FB9
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009A0036
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009A001B
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009A0FCA
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009A0FDB
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009A0062
.text C:\WINDOWS\system32\services.exe[656] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B50F8D
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B50FB2
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B50FC3
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B50080
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B500CB
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B500AE
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B50F5E
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B500F7
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B5011C
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B5005B
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B5009D
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B500DC
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B40FDB
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B40FA8
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B4002C
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B40051
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\lsass.exe[668] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\lsass.exe[668] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008E003D
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008E0F52
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008E0F6F
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008E0F8A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008E0FAF
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008E006B
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008E005A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008E0F01
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008E0F12
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008E0EE6
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008E002C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008E0F23
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008E0011
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008E0FC0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008E0086
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008D0036
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008D0073
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008D0025
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008D0FB6
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008D0058
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008D0047
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A40F70
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A40F8B
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A40065
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A40054
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A4001E
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A40F2E
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A40F3F
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A400B3
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A400A2
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A40EFF
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A40043
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A40FDE
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A40076
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A40FB2
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A40FCD
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A40087
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A30076
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A30011
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A30FB9
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A3005B
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A3004A
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02040000
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02040F77
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0204006C
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02040F94
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02040FA5
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0204002C
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02040F50
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02040098
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02040EFF
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02040F1A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 020400BD
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02040047
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02040FE5
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0204007D
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02040FCA
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0204001B
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02040F2B
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02030051
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02030FC3
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02030040
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0203001B
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02030076
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02030FD4
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02030000
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02030FE5
.text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02000FEF
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 02010FEF
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 02010000
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 02010FD4
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 0201002F
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F0079
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F0F84
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F005E
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F0FA1
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F0028
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F009B
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F008A
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00AC
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F0F13
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008F0F02
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008F0043
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008F0FDE
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008F0F69
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008F0FBC
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008F0FCD
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008F0F38
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008E0FCD
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008E0054
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008E001E
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008E0FDE
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008E0039
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008E0F97
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008E0FB2
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B10F69
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B10F7A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B10F8B
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B10054
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B10FC3
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B10F3D
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B10F4E
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B100CC
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B100B1
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B100E7
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B10FB2
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B10079
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B100A0
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B00FC7
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B00F94
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B00022
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B00051
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B00FA5
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B00FB6
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 00AE0011
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 00AE0022
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 00AE0FD1
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01F0000A
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01F00F77
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01F00F88
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01F00FA5
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01F00FC0
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01F00FDB
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01F00098
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01F00087
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01F00F10
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01F00F2B
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01F00EFF
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01F00062
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01F0001B
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01F00F66
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01F00047
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01F0002C
.text C:\WINDOWS\explorer.exe[1544] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01F000A9
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01EF0047
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01EF0FA5
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01EF002C
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01EF0011
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01EF0FB6
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01EF0FD1
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01EF0000
.text C:\WINDOWS\explorer.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01EF0058
.text C:\WINDOWS\explorer.exe[1544] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01DB0FE5
.text C:\WINDOWS\explorer.exe[1544] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 01DB0000
.text C:\WINDOWS\explorer.exe[1544] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01DB0FCA
.text C:\WINDOWS\explorer.exe[1544] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01DB0011
.text C:\WINDOWS\explorer.exe[1544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01DA0000
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008E005B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008E0F70
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008E004A
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008E0F8D
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008E0FB9
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008E0F13
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008E0F30
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008E009B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008E008A
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008E0EDD
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008E0F9E
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008E0011
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008E0F4B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008E0FDB
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008E0F02
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008D0FB9
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008D0051
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008D0FCA
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008D0040
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008D0F94
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008D001B
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F63
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F7E
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0058
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0047
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F37
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0EFE
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00A1
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B00BC
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0FB6
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F52
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3244] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0090
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A006F
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A004A
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[3244] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3244] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002C0FE5
---- Devices - GMER 1.0.12 ----
Device \Driver\MPFP \Device\MPFP IRP_MJ_CREATE [BAED9220] wpsdrvnt.sys
Device \Driver\MPFP \Device\MPFP IRP_MJ_CLOSE [BAED9480] wpsdrvnt.sys
Device \Driver\MPFP \Device\MPFP IRP_MJ_DEVICE_CONTROL [BAED95A0] wpsdrvnt.sys
Device \Driver\MPFP \Device\MPFP IRP_MJ_INTERNAL_DEVICE_CONTROL [B742885A] avgtdi.sys
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\OAdministrator.JT-M513JGE5N067\SendTo\Mail Recipient.MAPIMail:SummaryInformation
ADS C:\Documents and Settings\OAdministrator.JT-M513JGE5N067\SendTo\Mail Recipient.MAPIMail:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Pere.DADS.002\Favorites\McAfee :favicon
---- EOF - GMER 1.0.12 ----
Logfile of HijackThis v1.99.1
Scan saved at 10:06:32 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CPal\CPal.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.yahoo.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Startup: Cookie Pal.lnk = C:\Program Files\CPal\CPal.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -