I have followed the instructions from your thread http://forums.spybot.info/showthread.php?t=288

and have installed "ERUNT" and spybot S&D (disabled the teatimer and ran a scan in advanced mode)...attached is a .pdf of the notepad log report. Please help me remove this trojan once and for all...I've run autoruns and McAfee in safe and normal modes and it continues to "remove" it but it continues to return. The most obvious side effect I've notice by the presence of this torjan are my search result lins are hijacked and that is about it (that I know about). Any help with the removal and preventative measure for the future is greatly appreciated.
Thanks...will you email me how to find your responses...I'm a first time poster.
sdfdesign

hi sdfdesign

You are missing part of the instructions requirements: namely a HJT log. We can get that later. You have a root kit on board. your log is also a few days old. If you still need help removing it simply reply to the post using the add reply button.

Thank you Shelf Live for your reply...I do still need help...not sure how to go about getting an HJT log? sorry fairly new to this.

here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:34 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://searcher.apticonline.com
O15 - Trusted Zone: owa.fnf.com
O15 - Trusted Zone: http://*.metrolist.net
O15 - Trusted Zone: http://*.rapmls.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142701539015
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5756 bytes

hi sdfdesign,

ok. We will get a download to use. Its called Combofix. there is a guide to read first which will explain some things. Read through the guide, download combofix to your desktop. Disable your AV and antimalware as explained in the guide. Double click the icon and follow the prompts. Post the combofix log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

okay, thanks for you help too

ComboFix 09-10-04.01 - Owner 10/05/2009 18:43.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rotscxwydkrviu.sys
c:\windows\system32\rotscxbymbpjwm.dat
c:\windows\system32\rotscxkbeecxdk.dll
c:\windows\system32\rotscxugfqxmfv.dat
c:\windows\system32\rotscxvpykrirp.dll
c:\windows\system32\rotscxyxwmnmpf.dll
c:\windows\system32\twain.dll
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rotscxrtuyrwbw
-------\Legacy_rotscxrtuyrwbw


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-09-29 13:29 . 2009-09-29 13:29 -------- d-----w- c:\program files\ERUNT
2009-09-29 10:22 . 2009-09-29 10:22 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-29 10:07 . 2009-09-29 10:07 -------- d-----w- C:\Autoruns
2009-09-29 02:02 . 2009-09-29 02:02 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-25 13:23 . 2009-09-25 13:23 38 ----a-w- c:\windows\system32\DELCPL.BAT
2009-09-25 04:18 . 2009-09-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 04:18 . 2009-09-29 02:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-24 11:06 . 2009-09-24 11:06 -------- d-----w- c:\program files\Trend Micro
2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-09 13:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 11:55 . 2007-06-10 01:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-26 12:18 . 2006-03-15 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-25 13:26 . 2006-03-21 21:21 -------- d-----w- c:\program files\pdf995
2009-09-25 13:25 . 2006-03-15 03:17 -------- d-----w- c:\program files\Google
2009-09-25 13:24 . 2007-02-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-15 09:40 . 2009-05-06 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-14 02:32 . 2006-03-19 21:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-07 08:17 . 2006-03-15 02:41 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
2007-06-08 11:08 . 2007-06-08 11:08 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 6:01 PM 210216]
.
Contents of the 'Scheduled Tasks' folder

2008-08-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]

2008-08-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: apticonline.com\searcher
Trusted Zone: fnf.com\owa
Trusted Zone: metrolist.net
Trusted Zone: rapmls.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8N3Z2O1X\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2009-10-06 18:56
ComboFix-quarantined-files.txt 2009-10-06 01:56

Pre-Run: 69,227,794,432 bytes free
Post-Run: 69,363,691,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

121 --- E O F --- 2009-09-09 13:32

hi,

ok so far so good. We will get another download to use which you can keep and use as a anti-malware app. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer for the fix to continue*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.

that was a fun 2 hours+...k what's up next
:)

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 7:23:51 PM
mbam-log-2009-10-06 (19-23-51).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 194439
Time elapsed: 2 hour(s), 22 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxvpykrirp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP0\A0000004.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP1\A0000055.sys (Worm.Agent) -> Quarantined and deleted successfully.

hi sdfdesign

ok looks good. You can get one more tool to use as a check then we should be all done. this scan should go a lot quicker...

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

the volume I: mentioned below is a portable hard drive...btw


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 18:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF639000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BEC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE83A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume I:\
Status: MBR Rootkit Detected!

Path: Volume I:\, Sector 1
Status: Sector mismatch

Path: Volume I:\, Sector 2
Status: Sector mismatch

Path: Volume I:\, Sector 3
Status: Sector mismatch

Path: Volume I:\, Sector 4
Status: Sector mismatch

Path: Volume I:\, Sector 5
Status: Sector mismatch

Path: Volume I:\, Sector 6
Status: Sector mismatch

Path: Volume I:\, Sector 7
Status: Sector mismatch

Path: Volume I:\, Sector 8
Status: Sector mismatch

Path: Volume I:\, Sector 9
Status: Sector mismatch

Path: Volume I:\, Sector 10
Status: Sector mismatch

Path: Volume I:\, Sector 11
Status: Sector mismatch

Path: Volume I:\, Sector 12
Status: Sector mismatch

Path: Volume I:\, Sector 13
Status: Sector mismatch

Path: Volume I:\, Sector 14
Status: Sector mismatch

Path: Volume I:\, Sector 15
Status: Sector mismatch

Path: Volume I:\, Sector 16
Status: Sector mismatch

Path: Volume I:\, Sector 17
Status: Sector mismatch

Path: Volume I:\, Sector 18
Status: Sector mismatch

Path: Volume I:\, Sector 19
Status: Sector mismatch

Path: Volume I:\, Sector 20
Status: Sector mismatch

Path: Volume I:\, Sector 21
Status: Sector mismatch

Path: Volume I:\, Sector 22
Status: Sector mismatch

Path: Volume I:\, Sector 23
Status: Sector mismatch

Path: Volume I:\, Sector 24
Status: Sector mismatch

Path: Volume I:\, Sector 25
Status: Sector mismatch

Path: Volume I:\, Sector 26
Status: Sector mismatch

Path: Volume I:\, Sector 27
Status: Sector mismatch

Path: Volume I:\, Sector 28
Status: Sector mismatch

Path: Volume I:\, Sector 29
Status: Sector mismatch

Path: Volume I:\, Sector 30
Status: Sector mismatch

Path: Volume I:\, Sector 31
Status: Sector mismatch

Path: Volume I:\, Sector 32
Status: Sector mismatch

Path: Volume I:\, Sector 33
Status: Sector mismatch

Path: Volume I:\, Sector 34
Status: Sector mismatch

Path: Volume I:\, Sector 35
Status: Sector mismatch

Path: Volume I:\, Sector 36
Status: Sector mismatch

Path: Volume I:\, Sector 37
Status: Sector mismatch

Path: Volume I:\, Sector 38
Status: Sector mismatch

Path: Volume I:\, Sector 39
Status: Sector mismatch

Path: Volume I:\, Sector 40
Status: Sector mismatch

Path: Volume I:\, Sector 41
Status: Sector mismatch

Path: Volume I:\, Sector 42
Status: Sector mismatch

Path: Volume I:\, Sector 43
Status: Sector mismatch

Path: Volume I:\, Sector 44
Status: Sector mismatch

Path: Volume I:\, Sector 45
Status: Sector mismatch

Path: Volume I:\, Sector 46
Status: Sector mismatch

Path: Volume I:\, Sector 47
Status: Sector mismatch

Path: Volume I:\, Sector 48
Status: Sector mismatch

Path: Volume I:\, Sector 49
Status: Sector mismatch

Path: Volume I:\, Sector 50
Status: Sector mismatch

Path: Volume I:\, Sector 51
Status: Sector mismatch

Path: Volume I:\, Sector 52
Status: Sector mismatch

Path: Volume I:\, Sector 53
Status: Sector mismatch

Path: Volume I:\, Sector 54
Status: Sector mismatch

Path: Volume I:\, Sector 55
Status: Sector mismatch

Path: Volume I:\, Sector 56
Status: Sector mismatch

Path: Volume I:\, Sector 57
Status: Sector mismatch

Path: Volume I:\, Sector 58
Status: Sector mismatch

Path: Volume I:\, Sector 59
Status: Sector mismatch

Path: Volume I:\, Sector 60
Status: Sector mismatch

Path: Volume I:\, Sector 61
Status: Sector mismatch

Path: Volume I:\, Sector 62
Status: Sector mismatch

==EOF==

Rootrepeal scanned your computers fixed drive also?
Did you have Malwarebytes scan your portable drive? Some malware can spread to usb/portable drives.
Please check Malwarebytes for updates then have it scan your portable drive which you would check as a option before malwarebytes run. Post the log.

For the rootkit;

Please download MBR.exe from this link:

http://www2.gmer.net/mbr/mbr.exe

Save the file to your portable drive and double click it to run
It will produce a .txt file. Post the text file results in your reply.

If the MBR .txt file says anything like this:

"Warning: possible MBR rootkit infection !
MBR rootkit code detected !
malicious code @ sector .......
copy of MBR has been found in sector 62 !"

You can do this:

go to start>run and type in notepad, click ok or enter
notepad will open. copy/paste in whats below in the box.


mbr -f

Go to File>save
Enter fix.bat in the "File name:" box
change the "Save as type" to All Files

save it to your portable drive
double click the fix.bat icon in your portable drive
It should create a new txt file. post the new txt file.

Yesterday I did scan all portable usb drives along with "fixed" drives and nothing was detected;however, I'm re-running malwarebytes now since it found an update to yesterday's download. So we'll see what comes up today...I'll post the results tomorrow along with the MBR .txt results and the the new txt file from the fix.bat.

Thanks again for your continued support
:D:

Results of newly run Malwarebytes...

Malwarebytes' Anti-Malware 1.41
Database version: 2922
Windows 5.1.2600 Service Pack 3

10/7/2009 10:56:31 PM
mbam-log-2009-10-07 (22-56-31).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 195238
Time elapsed: 2 hour(s), 18 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



and the results of the mbr.exe...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


so I guess the volume I: is okay??? :confused:

Hi

thanks for all the info. MBAM came up clean so that is only good.
Not sure what to make of the two MBR scans. Try running rootrepeal once more on the portable drive and see what you get this time.

I copy and pasted the rootrepeal.exe and ran that directly off the portable hd and this is the log I got...below that log is the mbr.log I got after running rootrepeal so I guess I'm still at the same spot I was on my last post...so I guess we move on to the next step? am I clean????

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 19:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF639000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BA0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE772000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume I:\
Status: MBR Rootkit Detected!

Path: Volume I:\, Sector 1
Status: Sector mismatch

Path: Volume I:\, Sector 2
Status: Sector mismatch

Path: Volume I:\, Sector 3
Status: Sector mismatch

Path: Volume I:\, Sector 4
Status: Sector mismatch

Path: Volume I:\, Sector 5
Status: Sector mismatch

Path: Volume I:\, Sector 6
Status: Sector mismatch

Path: Volume I:\, Sector 7
Status: Sector mismatch

Path: Volume I:\, Sector 8
Status: Sector mismatch

Path: Volume I:\, Sector 9
Status: Sector mismatch

Path: Volume I:\, Sector 10
Status: Sector mismatch

Path: Volume I:\, Sector 11
Status: Sector mismatch

Path: Volume I:\, Sector 12
Status: Sector mismatch

Path: Volume I:\, Sector 13
Status: Sector mismatch

Path: Volume I:\, Sector 14
Status: Sector mismatch

Path: Volume I:\, Sector 15
Status: Sector mismatch

Path: Volume I:\, Sector 16
Status: Sector mismatch

Path: Volume I:\, Sector 17
Status: Sector mismatch

Path: Volume I:\, Sector 18
Status: Sector mismatch

Path: Volume I:\, Sector 19
Status: Sector mismatch

Path: Volume I:\, Sector 20
Status: Sector mismatch

Path: Volume I:\, Sector 21
Status: Sector mismatch

Path: Volume I:\, Sector 22
Status: Sector mismatch

Path: Volume I:\, Sector 23
Status: Sector mismatch

Path: Volume I:\, Sector 24
Status: Sector mismatch

Path: Volume I:\, Sector 25
Status: Sector mismatch

Path: Volume I:\, Sector 26
Status: Sector mismatch

Path: Volume I:\, Sector 27
Status: Sector mismatch

Path: Volume I:\, Sector 28
Status: Sector mismatch

Path: Volume I:\, Sector 29
Status: Sector mismatch

Path: Volume I:\, Sector 30
Status: Sector mismatch

Path: Volume I:\, Sector 31
Status: Sector mismatch

Path: Volume I:\, Sector 32
Status: Sector mismatch

Path: Volume I:\, Sector 33
Status: Sector mismatch

Path: Volume I:\, Sector 34
Status: Sector mismatch

Path: Volume I:\, Sector 35
Status: Sector mismatch

Path: Volume I:\, Sector 36
Status: Sector mismatch

Path: Volume I:\, Sector 37
Status: Sector mismatch

Path: Volume I:\, Sector 38
Status: Sector mismatch

Path: Volume I:\, Sector 39
Status: Sector mismatch

Path: Volume I:\, Sector 40
Status: Sector mismatch

Path: Volume I:\, Sector 41
Status: Sector mismatch

Path: Volume I:\, Sector 42
Status: Sector mismatch

Path: Volume I:\, Sector 43
Status: Sector mismatch

Path: Volume I:\, Sector 44
Status: Sector mismatch

Path: Volume I:\, Sector 45
Status: Sector mismatch

Path: Volume I:\, Sector 46
Status: Sector mismatch

Path: Volume I:\, Sector 47
Status: Sector mismatch

Path: Volume I:\, Sector 48
Status: Sector mismatch

Path: Volume I:\, Sector 49
Status: Sector mismatch

Path: Volume I:\, Sector 50
Status: Sector mismatch

Path: Volume I:\, Sector 51
Status: Sector mismatch

Path: Volume I:\, Sector 52
Status: Sector mismatch

Path: Volume I:\, Sector 53
Status: Sector mismatch

Path: Volume I:\, Sector 54
Status: Sector mismatch

Path: Volume I:\, Sector 55
Status: Sector mismatch

Path: Volume I:\, Sector 56
Status: Sector mismatch

Path: Volume I:\, Sector 57
Status: Sector mismatch

Path: Volume I:\, Sector 58
Status: Sector mismatch

Path: Volume I:\, Sector 59
Status: Sector mismatch

Path: Volume I:\, Sector 60
Status: Sector mismatch

Path: Volume I:\, Sector 61
Status: Sector mismatch

Path: Volume I:\, Sector 62
Status: Sector mismatch

Path: i:\settings.dat
Status: Size mismatch (API: 15, Raw: 0)

==EOF==

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
:blink: :scratch: :blink: :scratch:

hi sdfdesign,

Ok same results with rootrepeal. Could be a false positive, i sometimes get strange results with my linux partition. Just for peace of mind download the full Gmer app. to the portable drive and run it. link and directions:

download Gmer to your desktop:

http://gmer.net/download.php

close any running programs.

doubleclick the gmer icon to start Gmer:

if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:

Do you want to fully scan your system?
--->select NO<---

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.
gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

Thank you for the reformatting suggestion...question for ya on that, if some of the more important stuff opens up okay still, is it safe to copy them to a cd and then reformat since I don't have another back up of those files?

Here's the gmer log results...

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-09 20:34:20
Windows 5.1.2600 Service Pack 3
Running: o0h9i67q.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtyapog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF6A54EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEF6A5581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF6A5498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF6A54AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEF6A5595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEF6A55C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEF6A562F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEF6A5619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF6A552A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEF6A565B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEF6A556D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF6A5470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF6A5484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF6A54FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEF6A5697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEF6A5603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEF6A55ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEF6A55AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEF6A5683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEF6A566F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF6A54D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF6A54C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEF6A55D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF6A5559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEF6A5645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF6A5540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF6A5514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP EF6A5518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP EF6A5571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80573037 7 Bytes JMP EF6A55F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057791D 5 Bytes JMP EF6A5585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80578A14 7 Bytes JMP EF6A569B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 7 Bytes JMP EF6A5633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP EF6A54EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP EF6A54C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP EF6A5544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP EF6A552E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP EF6A5474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP EF6A5502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8058228C 7 Bytes JMP EF6A55DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80587693 7 Bytes JMP EF6A561D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP EF6A54B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP EF6A555D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP EF6A55C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP EF6A5599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP EF6A549C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1939 5 Bytes JMP EF6A5488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805E218F 5 Bytes JMP EF6A565F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635967 5 Bytes JMP EF6A54DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80654DD6 7 Bytes JMP EF6A5649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 806556FC 7 Bytes JMP EF6A5607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B78 7 Bytes JMP EF6A55AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8065606D 5 Bytes JMP EF6A5673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806564D8 5 Bytes JMP EF6A5687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0050
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC003F
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F65
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F76
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0022
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F19
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F2A
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0094
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0083
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00A5
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0F91
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0000
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0061
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FB6
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0011
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0072
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FA3
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FBE
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA001D
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA002E
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FE3
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F2E
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700C7
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F1D
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006006F
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050042
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F52
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F13
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F24
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EDD
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EEE
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD009B
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0076
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC006C
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FA1
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\lsass.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F9B
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0FAC
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD007A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0069
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00C3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00B2
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00F2
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F4F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0103
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00A1
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F60
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC007D
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0FA6
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FB7
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0027
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0FD2
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB0FE3
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F6D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70062
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70F94
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70051
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F41
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F5C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D70F15
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F26
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70EF0
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70FA5
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D7007D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70025
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70014
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D700A4
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D6006C
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D6005B
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 88]
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60040
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50F9A
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D50FB5
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FC6
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50FD7
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D40000
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02800FEF
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02800F94
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02800FAF
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02800FC0
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0280007D
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02800047
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02800F68
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028000B0
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02800F3C
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02800F4D
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02800F17
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02800062
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0280000A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02800F79
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02800036
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02800025
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028000CB
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027F0047
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027F006C
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027F002C
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027F001B
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027F0FB9
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027F0000
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027F0FCA
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 8A]
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027F0FDB
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027A004C
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 027A0FC1
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027A0016
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027A0FEF
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027A0027
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027A0FD2
.text C:\WINDOWS\System32\svchost.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02780000
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 02790FD4
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02790FEF
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02790FC3
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0279000A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0084000A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0084008C
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00840067
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00840056
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00840F8D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00840FB9
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008400AE
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00840F66
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00840F3A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008400D3
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00840F29
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00840FA8
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0084001B
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0084009D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00840FD4
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00840FE5
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00840F4B
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00830025
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00830F9E
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00830FD4
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0083000A
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0083005B
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00830FEF
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00830036
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00830FB9
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00820F92
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00820FA3
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00820FD2
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00820000
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0082001D
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00820FE3
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00058
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F6D
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00047
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FC0
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F26
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F37
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A0009A
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F0B
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000B5
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F48
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00022
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00089
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0076
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FC0
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FA1
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0036
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FC6
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80058
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80047
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F79
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F8A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A8001B
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F17
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F3E
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80ED0
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A80EEB
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80084
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80036
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80069
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F06
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F8D
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FB9
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930040
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F9E
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920053
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920038
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FE3
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092001D
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00910031
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00910042
.text C:\WINDOWS\System32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900FEF
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015C000A
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015C00A2
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015C0091
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015C0FC3
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015C0080
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015C004A
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015C00E4
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015C00C9
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015C00F5
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015C0F5C
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015C0110
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015C0065
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015C0FEF
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015C0F92
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015C0FDE
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015C0025
.text C:\WINDOWS\Explorer.EXE[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015C0F77
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015B0FC3
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015B006F
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015B0014
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015B0FDE
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015B004A
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015B0FEF
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 015B0FA8
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7B, 89] {JNP 0xffffffffffffff8b}
.text C:\WINDOWS\Explorer.EXE[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015B0025
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015A0F90
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 015A0FAB
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015A000A
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015A0FEF
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015A001B
.text C:\WINDOWS\Explorer.EXE[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015A0FD2
.text C:\WINDOWS\Explorer.EXE[1708] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 01530FDB
.text C:\WINDOWS\Explorer.EXE[1708] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01530000
.text C:\WINDOWS\Explorer.EXE[1708] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01530FCA
.text C:\WINDOWS\Explorer.EXE[1708] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01530FB9
.text C:\WINDOWS\Explorer.EXE[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Both Gmer scans look to be negative for the MBR rootkit. Must be a false positive. Since MBAM came up clean on the portable drive it should be fine to burn files to a CD if you reformat. Another option for backing up is on line storage sites. I use idrive, its free up to 2.0GB which is plenty more space than I need.
You can delete the rootrepeal icon from the desktop also the gmer tools.
combofix can be removed like this:

start>run and type in
combofix /u
click ok or enter
Note: a space after the x and before the /

If all is good on your end, some tips for you:


10 Tips for Reducing/Preventing Your Risk To Malware:

Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

All seems to be good, thank you very much for your excellant assistance and suggestions.

:bigthumb: