Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

ran root again this morning in normal mode
- in both safe and normal it only took a couple of seconds to run

no time to do the new instructions, had to get to work

below is this morning's root in normal mode
-looks rather similiar to the one in safemode

- i'll do the new instructions this afternoon/evening when i gethome



ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/17 07:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC6B3000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76e787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76e7bfe

==EOF==
 
McAfee

i was thing at some point it may help to uninstall, clean/scrub the system, and reinstall McAfee
- i downloaded it through cox; free as a subscriber

i use their antivirus and firewall
- wondering if it may have been adjusted/corrupted to not allow window to update

what do you think?
 
Are you referring to a format and clean install of windows ? Thats always a good option, but your call to do it or not. If you do decide to do that and need help I can link you to a windows forum that can help you through the process
 
"You can, but dont know how that would solve the redirects "
i know

i was referring to after the redirects were fixed

one of the blogs i was reading stated there may be an issue with the firewall and that is why windows update not working correctly
- i don't know, just grabbing at straws, looking for solutions

you are doing a great job, and i appreciate your knowledge and support
- just thought maybe something was wrong with McAfee and it wasn't letting the update page appear
-- it did let this little bug in the door
 
I am not a big fan of McAfee so don't know my way around in it to well, but I am sure there is an option to disable the firewall temporarily, try it and see if yo can get the updates.
 
Ok

A question b/c I’m not sure if I’ll have access to you this afternoon/evening:
- This is more of a statement/question: after I run the otl custom fixes; a report will be created in the folder automatically, right?
You stated in your instructions (after the HostsXpert part) to "Post the OTL report and let me know if this helped".
Asking because I noticed a reboot command and would think it would reboot before I could save the logs.

Also, what if I ran GMER without the files box being checked like you had me do for ROOTREPEAL?
Thinking it will scan in normal mode and not crash like before b/c the scan will be done quicker.
What do you think?
- And just tell me to be quite if my ideas are bugging you, just trying to assist.
You are the Captain, though. You are leading this expedition.
 
Nope, your not bugging me. I am at work right now with limited access but will be online tonight until around 9 or so eastern time

Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.

There will be no report from HostsXpert
 
Ran otl

Tried to run hostsxpert
1) to me my host was hidden and asked if I wanted to make it writable
- I clicked ok
2) when I clicked restore ms host file, I got an error
- ERROR: Cannot create file C:\WINDOWS\system32\ETC\hosts

I click on make writable under file handling and I think it did it

Not very confident; log on right does look correct
I print screened it and attached it to this post; see below OTL

All processes killed
========== OTL ==========
127.0.0.1 localhost removed from HOSTS file successfully
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\morkee.com\i2\ deleted successfully.
Starting removal of ActiveX control {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D}
C:\WINDOWS\Downloaded Program Files\SodaAgent.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 914 bytes
->Flash cache emptied: 300 bytes

User: Happy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4839227 bytes
->Java cache emptied: 7322509 bytes
->Flash cache emptied: 93717 bytes

User: Happy.DDHRXN81
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 5450 bytes
->Temporary Internet Files folder emptied: 4222102 bytes
->Java cache emptied: 35927 bytes
->Flash cache emptied: 28989 bytes

User: Robert
->Temp folder emptied: 179103 bytes
->Temporary Internet Files folder emptied: 111776721 bytes
->Java cache emptied: 18012751 bytes
->Flash cache emptied: 2179097 bytes

User: Robert.DDHRXN81
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes

User: TEMP.DHRXN81

User: TEMP.DHRXN81(2).005

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39138 bytes
%systemroot%\System32 .tmp files removed: 2962961 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 73670 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 113242 bytes
RecycleBin emptied: 57672162 bytes

Total Files Cleaned = 200.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05172010_172313

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8GOJWTY7\blank[1].htm not found!
File\Folder C:\WINDOWS\temp\mcmsc_CcFghMEXKZ6Lm7o not found!
File\Folder C:\WINDOWS\temp\mcmsc_fdtl5agmJqs2Iwb not found!
File\Folder C:\WINDOWS\temp\mcmsc_hYSslwoiUZHCb68 not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_ab0.dat not found!

Registry entries deleted on Reboot...
 
Well, for once I was able to post the message to the forum. That's a good sign.

I took the liberty of starting GMER again, but this time I unchecked the ones you had suggested before and I unchecked another one.
- the files box

too many characters too post, so i slip it

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 18:29:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Robert\LOCALS~1\Temp\axtdapog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76E787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76E7BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE36578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE365738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE36574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE365837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE365863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE3658D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE3658BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3657CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE3658FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE36580D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE365710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE365724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE36579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE365939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE3658A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE36588F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE36584D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE365925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE365911]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE365776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE365762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE3657F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE3658E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE3657E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3657B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP EE3657B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP EE365811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP EE365893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP EE36578E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP EE365766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP EE36593D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP EE3658D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP EE365714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP EE3657A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP EE3657E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP EE3657CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP EE365750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP EE3657FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP EE3658BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP EE365728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP EE365901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP EE365867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP EE36583B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP EE36573C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP EE36577A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP EE3658EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP EE3658A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP EE365851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP EE365915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP EE365929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7A0A760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF672EF80]
 
2nd part

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A00FEF
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A0007D
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A00F92
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A0006C
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A0005B
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A00FB9
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A000A4
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A00F5C
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A000F5
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A000E4
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A00F41
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A0004A
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A00FCA
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A00F6D
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A00025
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A0000A
.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A000C9
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 019F0FD4
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 019F0047
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 019F0FE5
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 019F001B
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 019F0036
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 019F0000
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 019F0F9E
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 89]
.text C:\WINDOWS\Explorer.EXE[152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 019F0FB9
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019E0FA6
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!system 77C293C7 5 Bytes JMP 019E0FB7
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019E0027
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019E0FEF
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019E0FD2
.text C:\WINDOWS\Explorer.EXE[152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019E000C
.text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 019C0000
.text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 019C001B
.text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 019C0FE5
.text C:\WINDOWS\Explorer.EXE[152] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 019C0FD4
.text C:\WINDOWS\Explorer.EXE[152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019D0FEF
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0071
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F004C
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F003B
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F72
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0F46
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F0F57
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00BA
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00A9
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0F06
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0F83
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0082
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FA8
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FB9
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F0F2B
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E006C
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E005B
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E0040
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0FBE
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0049
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FE3
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0038
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF00A2
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FAD
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FBE
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0087
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00E2
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F90
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF010E
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F7F
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF011F
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00C7
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00FD
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0031
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0020
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FC1
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FB0
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FD2
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0014
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0123000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012300B1
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01230FB2
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01230080
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01230FC3
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01230FDE
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01230F7C
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012300C2
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01230F3C
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01230F61
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012300F0
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01230065
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01230FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01230F97
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01230040
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01230025
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012300DF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01220011
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01220F6F
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01220FCA
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01220F80
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01220FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01220F9B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [42, 89]
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01220022
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0F9E
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0022
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F9B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0FAC
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0086
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0069
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00E3
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00C8
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0119
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0108
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F65
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00AB
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FD1
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F80
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D4002F
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40FA8
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D40065
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D4004A
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30044
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30029
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9008B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D9007A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90069
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90FAC
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9003D
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F4D
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F6A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F21
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F32
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90F10
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D9004E
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F7B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D9002C
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FDB
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900B0
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D8002C
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D7003D
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70018
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\svchost.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[932] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0025
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F83
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E006C
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0051
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F61
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E00A9
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00CE
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F35
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00E9
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0036
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F72
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F50
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D005B
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0FB9
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0040
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 001C0FC1
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 001C004C
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 001C0FE3
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 001C0FD2
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 001C001D
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001A0FCD
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\System32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F5C
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F77
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC004A
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F37
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC007D
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00BF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F26
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F15
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FDE
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC002F
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0014
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC00A4
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0F83
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0F94
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0070
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA005F
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0029
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA000C
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA004E
.text C:\WINDOWS\system32\svchost.exe[1004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024E0FEF
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024E0F79
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024E006E
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024E0F94
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024E0047
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024E0FAF
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024E00AB
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024E009A
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024E00D7
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024E0F3E
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024E0F23
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024E0036
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024E0000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024E0089
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024E0FC0
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024E0011
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024E00BC
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01950FC3
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0195005B
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01950FDE
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01950FEF
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01950F9E
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0195000A
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01950036
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01950025
.text C:\WINDOWS\System32\svchost.exe[1204] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 024F000A
.text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01940042
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 01940027
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01940FD2
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01940FEF
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01940FC1
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0194000C
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0192000A
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0192001B
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0192002C
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01920047
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01930000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00930080
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00930F8B
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00930065
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00930FB2
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00930F3A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00930F55
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009300B8
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009300A7
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009300C9
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00930F66
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00930F29
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920F9E
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920039
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920FB9
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00920F72
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920F83
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910078
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910053
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0091001D
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910042
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00910FE3
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C002F
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C004A
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F6C
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F87
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10055
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10044
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FAC
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A100A8
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10097
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F34
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100C3
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F19
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10033
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A1007C
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FD1
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10022
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F45
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FB9
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F002C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0F79
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006F0F94
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 88]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F001B
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0031
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0016
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FC1
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FA6
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FD2
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C002C
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FD1
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F007B
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0F7C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0F8D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F9E
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F00B3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F00A2
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00F0
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00DF
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0101
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0FB9
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F001B
 
3rd part
(this sucks)

.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0F6B
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F002C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F00C4
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0F83
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0014
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0F94
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D004E
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FCD
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D000C
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D003D
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
 
So far so good. The sections part of GMER is what I wanted to see and you posted it, this is where the latest Rootkit hides and its not showing on your log.

Lets do this, use your computer for a few days and then post back and let me know how its going

Ken :)
 
Lets go ahead and rerun Combofix, drag what you have now to the trash and download a fresh copy


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
sorry

blackberry was charging, just noticed your post

cannot seem to find the combofix we saved earlier
no in the folder on desktop i have been working in for all this

nothing in folder but the log
shouldn't the program still be there?
 
running combo in normal when an error window popped up

ERROR!!
Combofix has discovered the presence of rootkit activity and needs to restart the machine

i clicked OK
 
ran in normal mode after it rebooted


ComboFix 10-05-16.02 - Robert 05/17/2010 21:06:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.615 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\hjt\cbo\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 01:24 . 2010-05-18 01:26 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-17 22:23 . 2010-05-17 22:23 -------- d-----w- C:\_OTL
2010-05-17 22:19 . 2010-05-17 22:19 -------- d-----w- C:\HostsXpert
2010-05-16 05:56 . 2010-05-16 05:56 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 05:53 . 2010-05-16 05:53 -------- d-----w- c:\program files\Java
2010-05-15 03:43 . 2010-05-15 03:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-14 23:07 . 2010-05-15 17:48 -------- d-----w- C:\rsit
2010-05-10 02:43 . 2010-05-10 02:43 503808 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\msvcp71.dll
2010-05-10 02:43 . 2010-05-10 02:43 499712 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\jmc.dll
2010-05-10 02:43 . 2010-05-10 02:43 348160 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50ceb13a-n\msvcr71.dll
2010-05-10 02:43 . 2010-05-10 02:43 61440 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-288bfa8f-n\decora-sse.dll
2010-05-10 02:43 . 2010-05-10 02:43 12800 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-288bfa8f-n\decora-d3d.dll
2010-05-09 05:47 . 2010-05-16 05:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 22:02 . 2010-05-06 15:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 21:58 . 2010-05-02 21:59 -------- d-----w- c:\program files\Windows Defender
2010-05-01 23:13 . 2010-05-01 23:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\Robert\Application Data\Malwarebytes
2010-05-01 17:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-01 17:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 04:35 . 2010-05-08 08:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-25 04:34 . 2010-04-25 04:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Roxio
2010-04-25 04:34 . 2010-04-25 04:34 -------- d-----w- c:\documents and settings\Robert\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 01:48 . 2009-04-07 04:01 256 ----a-w- c:\windows\system32\pool.bin
2010-05-18 01:24 . 2009-05-31 18:13 -------- d-----w- c:\program files\Lavasoft
2010-05-18 01:24 . 2008-10-05 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-16 06:33 . 2008-09-21 16:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-16 06:33 . 2008-09-21 16:57 -------- d-----w- c:\program files\SpywareBlaster
2010-05-15 17:47 . 2006-11-05 20:09 -------- d-----w- c:\program files\Trend Micro
2010-05-10 01:54 . 2008-08-10 04:10 -------- d-----w- c:\program files\Roxio
2010-05-03 22:03 . 2005-10-28 02:58 107704 ----a-w- c:\documents and settings\Happy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 16:01 . 2010-04-14 04:42 817200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-20 23:32 . 2005-10-29 01:32 107704 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 15:12 . 2009-04-07 03:36 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-17 15:09 . 2009-04-07 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-04-01 23:15 . 2008-09-12 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-26 03:39 . 2010-01-31 16:02 49152 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-26 03:39 . 2010-01-31 16:02 69632 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\DesktopMgr.exe
2010-03-10 06:15 . 2008-08-11 23:48 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-08-11 23:48 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 02:15 . 2009-10-31 04:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-17 14:10 . 2008-08-11 23:48 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 02:31 . 2010-02-17 02:31 26694 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{8D55AC33-2CB4-4A4D-93A9-F5C76124BBC3}\BlackBerry.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-19 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2010-3-10 1819992]
Microsoft Greetings Reminders.lnk - c:\documents and settings\All Users\Microsoft Home Publishing\MHPRMIND.EXE [1998-8-13 40960]
Microsoft Works Calendar Reminders.lnk - c:\documents and settings\All Users\Application Data\MSWorks\Calendar\WKCALREM.EXE [1998-7-21 68368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-9 24576]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2005-11-9 237568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [4/27/2009 10:25 AM 27160]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [4/27/2009 10:26 AM 79896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [4/27/2009 10:26 AM 22552]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [4/27/2009 10:27 AM 25112]
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-09-12 21:31]

2010-05-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-09-12 21:31]

2010-05-18 c:\windows\Tasks\User_Feed_Synchronization-{97465611-51A7-4A27-BBCC-D5DE1ECEE541}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: mcafee.com
Trusted Zone: msn.com\www
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Cisco Unified Presenter Add-in - c:\documents and settings\Robert\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x0\ciscounifiedaddin6x0.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2010-05-17 21:22:38
ComboFix-quarantined-files.txt 2010-05-18 02:22
ComboFix2.txt 2010-05-15 04:20

Pre-Run: 9,319,911,424 bytes free
Post-Run: 9,294,102,528 bytes free

- - End Of File - - E062C251877911302C52BA22E737BB80
 
You must log in or register to reply here.
Back
Top