Page 6 of 8 FirstFirst ... 2345678 LastLast
Results 51 to 60 of 78

Thread: Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

  1. 2010-05-18, 01:24 #51
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Looks fine, how are the redirects ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  2. 2010-05-18, 01:47 #52
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    Well, for once I was able to post the message to the forum. That's a good sign.

    I took the liberty of starting GMER again, but this time I unchecked the ones you had suggested before and I unchecked another one.
    - the files box

    too many characters too post, so i slip it

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-17 18:29:43
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Robert\LOCALS~1\Temp\axtdapog.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76E787E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76E7BFE]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE36578A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE365738]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE36574C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE365837]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE365863]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE3658D1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE3658BB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3657CA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE3658FD]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE36580D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE365710]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE365724]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE36579E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE365939]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE3658A5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE36588F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE36584D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE365925]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE365911]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE365776]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE365762]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE3657F9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE3658E7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE3657E0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3657B4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP EE3657B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP EE365811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP EE365893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP EE36578E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP EE365766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP EE36593D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP EE3658D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP EE365714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP EE3657A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP EE3657E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP EE3657CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP EE365750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP EE3657FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP EE3658BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP EE365728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP EE365901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP EE365867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP EE36583B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP EE36573C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP EE36577A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP EE3658EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP EE3658A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP EE365851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP EE365915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP EE365929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7A0A760]
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF672EF80]
  3. 2010-05-18, 01:51 #53
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    2nd part

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
    .text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A00FEF
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A0007D
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A00F92
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A0006C
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A0005B
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A00FB9
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A000A4
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A00F5C
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A000F5
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A000E4
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A00F41
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A0004A
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A00FCA
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A00F6D
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A00025
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A0000A
    .text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A000C9
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 019F0FD4
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 019F0047
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 019F0FE5
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 019F001B
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 019F0036
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 019F0000
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 019F0F9E
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 89]
    .text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 019F0FB9
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019E0FA6
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!system 77C293C7 5 Bytes JMP 019E0FB7
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019E0027
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019E0FEF
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019E0FD2
    .text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019E000C
    .text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 019C0000
    .text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 019C001B
    .text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 019C0FE5
    .text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 019C0FD4
    .text C:\WINDOWS\Explorer.EXE[152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019D0FEF
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0FEF
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0071
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F004C
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F003B
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F72
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F000A
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0F46
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F0F57
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00BA
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00A9
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0F06
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0F83
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FDE
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0082
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FA8
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FB9
    .text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F0F2B
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E001B
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E006C
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0FD4
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FE5
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E005B
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0000
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E0040
    .text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0FAF
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0FBE
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0049
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FE3
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0038
    .text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0011
    .text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
    .text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FE5
    .text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FCA
    .text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FB9
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF00A2
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FAD
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FBE
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0087
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0051
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00E2
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F90
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF010E
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F7F
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF011F
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF006C
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00C7
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FE5
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF002C
    .text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00FD
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F97
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0FB2
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FC3
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
    .text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FD4
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0031
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0020
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FC1
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FEF
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FB0
    .text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FD2
    .text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0FEF
    .text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FDE
    .text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0014
    .text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FC3
    .text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FE5
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0123000A
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012300B1
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01230FB2
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01230080
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01230FC3
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01230FDE
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01230F7C
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012300C2
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01230F3C
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01230F61
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012300F0
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01230065
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01230FEF
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01230F97
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01230040
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01230025
    .text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012300DF
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01220011
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01220F6F
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01220FCA
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01220000
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01220F80
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01220FEF
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01220F9B
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [42, 89]
    .text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01220022
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0F9E
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB9
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FDE
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0029
    .text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
    .text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FE5
    .text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0011
    .text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0022
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F9B
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0FAC
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0086
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0069
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD003D
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00E3
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00C8
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0119
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0108
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F65
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0058
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00AB
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FD1
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD002C
    .text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F80
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D4002F
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40FA8
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FDE
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FEF
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40FC3
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D4000A
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D40065
    .text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D4004A
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30044
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB9
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30029
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FCA
    .text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FEF
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20FEF
    .text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10FEF
    .text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D10FD4
    .text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D10FC3
    .text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D1000A
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9008B
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D9007A
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90069
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90FAC
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9003D
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F4D
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F6A
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F21
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F32
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90F10
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D9004E
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D9001B
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F7B
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D9002C
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FDB
    .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900B0
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FAF
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80058
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FC0
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80000
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80047
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D8002C
    .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80011
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D7004E
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D7003D
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70018
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC3
    .text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FDE
    .text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D000A
    .text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FEF
    .text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0FD4
    .text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0025
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F83
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F94
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E006C
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0051
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FAF
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F61
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E00A9
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00CE
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F35
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00E9
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0036
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0FE5
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F72
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E001B
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FCA
    .text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F50
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FDE
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0F9E
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FEF
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D001B
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D005B
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D000A
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0FB9
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
    .text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0040
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 001C0FC1
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 001C004C
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 001C0FE3
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 001C0000
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 001C0FD2
    .text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 001C001D
    .text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001A0FDE
    .text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001A0FCD
    .text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001A0FB2
    .text C:\WINDOWS\System32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FEF
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F5C
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F77
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC005B
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC004A
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FB9
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F37
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC007D
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00BF
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F26
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F15
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0FA8
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FDE
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC006C
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC002F
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0014
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC00A4
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB001B
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0036
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB000A
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0FD4
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0F83
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FE5
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0F94
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FAF
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0070
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA005F
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0029
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA000C
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA004E
    .text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FEF
    .text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0000
    .text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0FE5
    .text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0FD4
    .text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006E001B
    .text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0000
    .text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
    .text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
    .text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024E0FEF
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024E0F79
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024E006E
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024E0F94
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024E0047
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024E0FAF
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024E00AB
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024E009A
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024E00D7
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024E0F3E
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024E0F23
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024E0036
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024E0000
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024E0089
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024E0FC0
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024E0011
    .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024E00BC
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01950FC3
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0195005B
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01950FDE
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01950FEF
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01950F9E
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0195000A
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01950036
    .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01950025
    .text C:\WINDOWS\System32\svchost.exe[1204] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 024F000A
    .text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
    .text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01940042
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 01940027
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01940FD2
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01940FEF
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01940FC1
    .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0194000C
    .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0192000A
    .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0192001B
    .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0192002C
    .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01920047
    .text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01930000
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00930000
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00930080
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00930F8B
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00930065
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00930FB2
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00930FD4
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00930F3A
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00930F55
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009300B8
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009300A7
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009300C9
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00930FC3
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00930F66
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00930040
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0093002F
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00930F29
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920F9E
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920039
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920FB9
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920FD4
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00920F72
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00920FE5
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0092000A
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920F83
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910078
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910053
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0091001D
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00910000
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910042
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00910FE3
    .text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
    .text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C002F
    .text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C004A
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F6C
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F87
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10055
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10044
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FAC
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A100A8
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10097
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F34
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100C3
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F19
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10033
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10011
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A1007C
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FD1
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10022
    .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F45
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FB9
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F002C
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F000A
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0FD4
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0F79
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FE5
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006F0F94
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 88]
    .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F001B
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0031
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0016
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FC1
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FE3
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FA6
    .text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FD2
    .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
    .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0011
    .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C002C
    .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FD1
    .text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0000
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F007B
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0F7C
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0F8D
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F9E
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0FD4
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F00B3
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F00A2
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00F0
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00DF
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0101
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0FB9
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F001B
  4. 2010-05-18, 01:52 #54
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    3rd part
    (this sucks)

    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0F6B
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FE5
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F002C
    .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F00C4
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FB9
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0F83
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0014
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FDE
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0F94
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E0036
    .text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0025
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D004E
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FCD
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FDE
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D000C
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D003D
    .text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FEF
    .text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B000A
    .text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
    .text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0036
    .text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FE5
    .text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
  5. 2010-05-18, 02:03 #55
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    So far so good. The sections part of GMER is what I wanted to see and you posted it, this is where the latest Rootkit hides and its not showing on your log.

    Lets do this, use your computer for a few days and then post back and let me know how its going

    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  6. 2010-05-18, 02:23 #56
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    explitive!!

    i searched adobe in bing and when i clicked on the link for adobe
    http://www.adobe.com/products/flashplayer/

    it led me to
    http://www.manufacturersdirectory.co...keywords=adobe
  7. 2010-05-18, 02:53 #57
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Lets go ahead and rerun Combofix, drag what you have now to the trash and download a fresh copy


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  8. 2010-05-18, 03:45 #58
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    sorry

    blackberry was charging, just noticed your post

    cannot seem to find the combofix we saved earlier
    no in the folder on desktop i have been working in for all this

    nothing in folder but the log
    shouldn't the program still be there?
  9. 2010-05-18, 04:02 #59
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    running combo in normal when an error window popped up

    ERROR!!
    Combofix has discovered the presence of rootkit activity and needs to restart the machine

    i clicked OK
  10. 2010-05-18, 04:29 #60
    orleans_rob
    orleans_rob is offline
    Senior Member
    Join Date
    Sep 2008
    Posts
    151

    Default

    ran in normal mode after it rebooted


    ComboFix 10-05-16.02 - Robert 05/17/2010 21:06:05.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.615 [GMT -5:00]
    Running from: c:\documents and settings\Robert\Desktop\hjt\cbo\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
    .

    2010-05-18 01:24 . 2010-05-18 01:26 -------- d-----w- c:\windows\SxsCaPendDel
    2010-05-17 22:23 . 2010-05-17 22:23 -------- d-----w- C:\_OTL
    2010-05-17 22:19 . 2010-05-17 22:19 -------- d-----w- C:\HostsXpert
    2010-05-16 05:56 . 2010-05-16 05:56 -------- d-----w- c:\program files\Common Files\Java
    2010-05-16 05:53 . 2010-05-16 05:53 -------- d-----w- c:\program files\Java
    2010-05-15 03:43 . 2010-05-15 03:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-05-14 23:07 . 2010-05-15 17:48 -------- d-----w- C:\rsit
    2010-05-10 02:43 . 2010-05-10 02:43 503808 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\msvcp71.dll
    2010-05-10 02:43 . 2010-05-10 02:43 499712 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\jmc.dll
    2010-05-10 02:43 . 2010-05-10 02:43 348160 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\msvcr71.dll
    2010-05-10 02:43 . 2010-05-10 02:43 61440 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-288bfa8f-n\decora-sse.dll
    2010-05-10 02:43 . 2010-05-10 02:43 12800 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-288bfa8f-n\decora-d3d.dll
    2010-05-09 05:47 . 2010-05-16 05:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-02 22:02 . 2010-05-06 15:36 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-02 21:58 . 2010-05-02 21:59 -------- d-----w- c:\program files\Windows Defender
    2010-05-01 23:13 . 2010-05-01 23:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\Robert\Application Data\Malwarebytes
    2010-05-01 17:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-01 17:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-25 04:35 . 2010-05-08 08:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-04-25 04:34 . 2010-04-25 04:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Roxio
    2010-04-25 04:34 . 2010-04-25 04:34 -------- d-----w- c:\documents and settings\Robert\Application Data\Roxio

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-18 01:48 . 2009-04-07 04:01 256 ----a-w- c:\windows\system32\pool.bin
    2010-05-18 01:24 . 2009-05-31 18:13 -------- d-----w- c:\program files\Lavasoft
    2010-05-18 01:24 . 2008-10-05 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-05-16 06:33 . 2008-09-21 16:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-05-16 06:33 . 2008-09-21 16:57 -------- d-----w- c:\program files\SpywareBlaster
    2010-05-15 17:47 . 2006-11-05 20:09 -------- d-----w- c:\program files\Trend Micro
    2010-05-10 01:54 . 2008-08-10 04:10 -------- d-----w- c:\program files\Roxio
    2010-05-03 22:03 . 2005-10-28 02:58 107704 ----a-w- c:\documents and settings\Happy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-04-21 16:01 . 2010-04-14 04:42 817200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-20 23:32 . 2005-10-29 01:32 107704 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-04-17 15:12 . 2009-04-07 03:36 -------- d-----w- c:\program files\Common Files\Roxio Shared
    2010-04-17 15:09 . 2009-04-07 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
    2010-04-01 23:15 . 2008-09-12 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
    2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
    2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
    2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\DesktopMgr.exe
    2010-03-10 06:15 . 2008-08-11 23:48 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2008-08-11 23:48 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-21 02:15 . 2009-10-31 04:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-17 14:10 . 2008-08-11 23:48 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-17 02:31 . 2010-02-17 02:31 26694 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{8D55AC33-2CB4-4A4D-93A9-F5C76124BBC3}\BlackBerry.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
    "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-19 98304]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Robert\Start Menu\Programs\Startup\
    Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2010-3-10 1819992]
    Microsoft Greetings Reminders.lnk - c:\documents and settings\All Users\Microsoft Home Publishing\MHPRMIND.EXE [1998-8-13 40960]
    Microsoft Works Calendar Reminders.lnk - c:\documents and settings\All Users\Application Data\MSWorks\Calendar\WKCALREM.EXE [1998-7-21 68368]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-9 24576]
    NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2005-11-9 237568]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [4/27/2009 10:25 AM 27160]
    R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [4/27/2009 10:26 AM 79896]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [4/27/2009 10:26 AM 22552]
    S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [4/27/2009 10:27 AM 25112]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-18 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

    2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-09-12 21:31]

    2010-05-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-09-12 21:31]

    2010-05-18 c:\windows\Tasks\User_Feed_Synchronization-{97465611-51A7-4A27-BBCC-D5DE1ECEE541}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: mcafee.com
    Trusted Zone: msn.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-Cisco Unified Presenter Add-in - c:\documents and settings\Robert\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\ciscou...edaddin6x0.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-17 21:15
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    Completion time: 2010-05-17 21:22:38
    ComboFix-quarantined-files.txt 2010-05-18 02:22
    ComboFix2.txt 2010-05-15 04:20

    Pre-Run: 9,319,911,424 bytes free
    Post-Run: 9,294,102,528 bytes free

    - - End Of File - - E062C251877911302C52BA22E737BB80
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules