XP system infected with Win32.TDSS.rtk

[Irwin]

This is my first posting. I hope I have provided you with the correct information. Thank you in advance for your help. I eagerly look forward to running a clean system again. If you can point me to any really good readings about best ways to best avoid re-infecting my system I would be terrifically appreciative.

The only attempt at fixing the infection that I have done was in Spybot - Fix problems, when the scan first found problems. It would not fix it.

I turned off TeaTimer, ran ERUNT.

My system won't let me make Restore Points from Start-Accesories-System Tools-Restore. Is that the same as runing ERUNT? Is the infection preventing me from creating Restore Points?

Irwin



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:32 PM, on 10/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.earthlink.net/wam/login.jsp?redirect=/wam/index.jsp&x=1396779255
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F973CFC4.exe] C:\DOCUME~1\BRIAND~1.STU\LOCALS~1\Temp\_A00F973CFC4.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Yahoo! Chat -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142569454521
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142569425349
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_02) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.3.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 7552 bytes

 

[Shaba]

Hi Irwin

No, that is not the same thing. Yes it is most likely.

Download gmer.zip and save to your desktop.
alternate download site

• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

 

[Irwin]

Have run Gmer

Hi Shaba,

I have done the scan. I tried to post the results into a reply but I got a message that there were 107000 characters and the limit was 64000, so I have broken the paste of the scan into two parts, the second part will be pasted into my next reply.

I would like to use my computer online while we are going thru the process of cleaning off the viruses. Should I keep Resident Teatimer disabled and go on the web throughout the time we are conversing back and forth, or should I re-enable it between our contacting each other, and then disable it when I'm going to do your next set of instructions?

Thank you for your help, I really appreciate it!

Irwin







GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-18 17:31:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BRIAND~1.STU\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF6B644EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF6B64581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF6B64498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF6B644AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF6B64595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF6B645C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF6B64634]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF6B64619]
Code 82DB52F0 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF6B6452A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF6B6465E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF6B6456D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF6B64470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF6B64484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF6B644FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF6B6469A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF6B64603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF6B645ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF6B645AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF6B64686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF6B64672]
Code 82D3671E ZwSaveKey
Code 82DB535E ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF6B644D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF6B644C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF6B645D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF6B64559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF6B64648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF6B64540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF6B64514]
Code 82D36756 IofCallDriver
Code 82DB487E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82D3675B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82DB4883
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82DB52F4
PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 82D36722
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 82DB5362
PAGE ntoskrnl.exe!ZwReplaceKey + 3 8064F0DF 2 Bytes [51, 76]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01460000
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01460F5E
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01460F83
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0146005D
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01460F94
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01460025
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01460F2B
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01460F3C
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014600BD
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01460098
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01460F09
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01460036
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01460FE5
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01460F4D
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01460FB9
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01460FCA
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01460F1A
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0144002C
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01440F83
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0144001B
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01440000
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01440F9E
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01440FE5
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01440FAF
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [64, 89]
.text C:\WINDOWS\system32\svchost.exe[116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01440FCA
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01430033
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!system 77C293C7 5 Bytes JMP 01430FB2
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01430011
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01430000
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01430022
.text C:\WINDOWS\system32\svchost.exe[116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01430FD7
.text C:\WINDOWS\system32\svchost.exe[116] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01450FEF
.text C:\WINDOWS\system32\svchost.exe[116] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01450FDE
.text C:\WINDOWS\system32\svchost.exe[116] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01450FC3
.text C:\WINDOWS\system32\svchost.exe[116] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01450FB2
.text C:\WINDOWS\system32\svchost.exe[116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01420000
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01400FEF
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01400F41
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01400F5C
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01400040
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0140002F
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01400F9E
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01400F09
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01400F1A
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0140007D
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0140006C
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0140008E
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01400F8D
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0140000A
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01400051
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01400FC3
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01400FD4
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01400EEE
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013E0039
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013E0F97
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013E0FDE
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013E0FA8
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013E000A
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013E0FB9
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5E, 89]
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013E004A
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0F89
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0F9A
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FAB
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\services.exe[536] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 013F0000
.text C:\WINDOWS\system32\services.exe[536] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 013F0FE5
.text C:\WINDOWS\system32\services.exe[536] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 013F001B
.text C:\WINDOWS\system32\services.exe[536] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 013F002C
.text C:\WINDOWS\system32\services.exe[536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C0FE5
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtectEx 7C801A61 3 Bytes JMP 010C0F52
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtectEx + 4 7C801A65 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtect 7C801AD4 3 Bytes JMP 010C0051
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtect + 4 7C801AD8 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010C0F77
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryExA 7C801D53 3 Bytes JMP 010C0F9E
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryExA + 4 7C801D57 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryA 7C801D7B 3 Bytes JMP 010C001B
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryA + 4 7C801D7F 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetStartupInfoW 7C801E54 3 Bytes JMP 010C0F09
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetStartupInfoW + 4 7C801E58 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010C0F1A
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessW 7C802336 3 Bytes JMP 010C0087
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessW + 4 7C80233A 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessA 7C80236B 3 Bytes JMP 010C0EE4
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessA + 4 7C80236F 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetProcAddress 7C80AE40 3 Bytes JMP 010C0ED3
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetProcAddress + 4 7C80AE44 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryW 7C80AEEB 3 Bytes JMP 010C0036
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryW + 4 7C80AEEF 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileW 7C810800 3 Bytes JMP 010C0FCA
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileW + 4 7C810804 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010C0F37
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010C0FB9
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010C0000
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010C006C
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010A0FAF
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010A001B
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010A0FCA
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010A0F5E
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010A0F83
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2A, 89]
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010A0F94
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01090FAD
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!system 77C293C7 5 Bytes JMP 01090038
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01090FD2
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01090027
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090FE3
.text C:\WINDOWS\system32\lsass.exe[548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[548] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\lsass.exe[548] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\lsass.exe[548] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 010B001B
.text C:\WINDOWS\system32\lsass.exe[548] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 010B0FCA
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F8D
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10F9E
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F10078
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F100AE
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F10F66
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10F3A
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F10F4B
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F100E4
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F10FC3
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F10093
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F10025
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F100C9
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FDB
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0011
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0F94
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE006E
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0053
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FD9
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0038
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE001D
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\svchost.exe[700] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40080
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F8B
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40FA8
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400B3
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F400A2
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40104
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400F3
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40115
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40091
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400CE
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F79
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20FA5
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20022
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10053
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10042
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10027
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[780] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[780] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[780] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\system32\svchost.exe[780] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0246000A
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024600AC
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02460091
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02460FC3
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02460080
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02460FD4
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02460F81
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02460F92
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02460106
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024600EB
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02460F5C
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02460065
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02460FEF
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024600BD
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02460036
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02460025
.text C:\WINDOWS\System32\svchost.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024600DA
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 017F0FCD
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 017F0F97
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 017F001E
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 017F0FDE
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 017F0054
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 017F0FEF
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 017F002F
.text C:\WINDOWS\System32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 017F0FB2
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 017E004E
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 017E0FC3
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 017E0FDE
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 017E0FEF
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 017E0033
.text C:\WINDOWS\System32\svchost.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 017E000C
.text C:\WINDOWS\System32\svchost.exe[844] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01800000
.text C:\WINDOWS\System32\svchost.exe[844] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01800011
.text C:\WINDOWS\System32\svchost.exe[844] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01800022
.text C:\WINDOWS\System32\svchost.exe[844] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01800FDB
.text C:\WINDOWS\System32\svchost.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017D0FEF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00920F44
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00920039
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00920028
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00920F6B
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00920F97
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00920F1F
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00920067
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009200A0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00920EFD
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00920EEC
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00920F86
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0092004A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00920F0E
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900039
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900FA8
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B0, 88] {MOV AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0090004A
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0FB4
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F003F
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F002E
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0FCF
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F001D
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00910FB9
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00910FA8
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50084
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50073
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50062
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50051
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50036
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A50F4D
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F74
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500C1
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F28
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F0D
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A50FAF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A5009F
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500B0
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F90
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30FA1
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FBC

 

[Irwin]

Gmer Scan Results, Part II

.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FCD
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A2003A
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20055
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20029
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A40FDB
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90076
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F81
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F92
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C9005B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F55
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F66
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900C9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900B8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90F15
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90091
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F3A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C7008E
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C7007D
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FD1
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70062
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FB5
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0051
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F5C
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F6D
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F94
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0036
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0089
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0078
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF00B5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F26
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F01
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0FA5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F4B
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00A4
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F86
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0039
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD004C
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0031
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FD2
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FE3
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F61
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80056
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F72
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80F83
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F44
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D8008C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800D3
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800C2
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80F1F
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80F94
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FDB
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80071
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D800B1
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FC0
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60F6F
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60F8A
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D60FA5
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 88]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50F92
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D50FA3
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FD2
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D5001D
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50FE3
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01840000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01840F72
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01840F8D
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01840F9E
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01840051
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01840036
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0184009D
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0184008C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01840F1F
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01840F30
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01840F0E
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01840FAF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0184001B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01840F61
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01840FD4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01840FE5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 018400AE
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F6B
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF001E
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE004E
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0033
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 011E0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 011E0FDE
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 011E0014
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 011E0025
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F68
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990F79
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990053
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990F8A
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0099001B
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009900A4
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990089
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00990F26
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900BF
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009900DA
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990036
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FD4
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0099006E
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FC3
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990F41
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00970FB9
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970F6B
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00970014
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00970FDE
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00970F7C
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00970FEF
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00970F8D
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B7, 88] {MOV BH, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00970FA8
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960F9A
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960FAB
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FD7
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960000
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960FBC
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960011
.text C:\WINDOWS\System32\svchost.exe[1836] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00980000
.text C:\WINDOWS\System32\svchost.exe[1836] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00980FE5
.text C:\WINDOWS\System32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00980011
.text C:\WINDOWS\System32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 0098002C
.text C:\WINDOWS\System32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00950000
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009A0000
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009A0F6A
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009A005F
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009A0044
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009A0033
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009A0FA5
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009A0070
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009A0F34
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009A00B7
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009A00A6
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009A0EF9
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009A0022
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009A0F4F
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009A0FB6
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009A0011
.text C:\WINDOWS\System32\svchost.exe[1880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009A008B
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0097001B
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0097006C
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00970FD4
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0097000A
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0097005B
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00970FE5
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00970040
.text C:\WINDOWS\System32\svchost.exe[1880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00970FAF
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960047
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960FBC
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960011
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960000
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0096002C
.text C:\WINDOWS\System32\svchost.exe[1880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FE3
.text C:\WINDOWS\System32\svchost.exe[1880] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00980FEF
.text C:\WINDOWS\System32\svchost.exe[1880] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00980000
.text C:\WINDOWS\System32\svchost.exe[1880] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00980011
.text C:\WINDOWS\System32\svchost.exe[1880] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00980FB6
.text C:\WINDOWS\System32\svchost.exe[1880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F94
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10089
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10078
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1005B
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100B5
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100A4
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F3E
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D100D7
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100F2
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10040
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F79
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100C6
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0F83
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F9E
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0070
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE003A
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0055
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0029
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D0002C
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00D00047
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F55
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F66
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0040
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F83
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0025
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F1D
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F2E
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EF1
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F02
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0ED6
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F94
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0065
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0014
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\Explorer.EXE[2084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0080
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FA5
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[2084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0047
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B002C
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FBC
.text C:\WINDOWS\Explorer.EXE[2084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[2084] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[2084] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\Explorer.EXE[2084] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\Explorer.EXE[2084] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 002D0014
.text C:\WINDOWS\Explorer.EXE[2084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0093
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0078
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C005D
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00D5
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C00AE
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F68
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00F7
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C011C
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0025
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00E6
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F7F
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0014
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FB5
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0F9A
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C006F
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C002C
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C001B
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3696] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 018F000A
.text C:\WINDOWS\system32\wuauclt.exe[3696] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 018F0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3696] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 018F001B
.text C:\WINDOWS\system32\wuauclt.exe[3696] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 018F0FD4

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat F3721D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\rotscxempmhxxt.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2084] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\rotscxrvysdtxu.sys (*** hidden *** ) [SYSTEM] rotscxouxdltko <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

 

[Shaba]

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

 

[Irwin]

Results of ComboFix scan & HJT Log

Shaba,

All ran well. The only thing that happened wrong was I accidentally dropped something on my keyboard at the time the information box came onto the screen telling me to jot down the files ComboFix found activity in the RootKit. Can't believe that happened. The box went away and I was not able to write down the file names. Very very sorry. I hope this doesn't really mess up the process.

Thank you so much for your help :thanks:
Irwin


****************
ComboFix Log
****************

ComboFix 09-10-19.01 - Brian Duignan 10/19/2009 23:19.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.186 [GMT -5:00]
Running from: c:\documents and settings\Brian Duignan.STU\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\23581524
c:\documents and settings\All Users.WINDOWS\Application Data\23581524\23581524.exe
c:\documents and settings\Brian Duignan.STU\Application Data\02000000fd68bee2C.manifest
c:\documents and settings\Brian Duignan.STU\Application Data\02000000fd68bee2O.manifest
c:\documents and settings\Brian Duignan.STU\Application Data\02000000fd68bee2P.manifest
c:\documents and settings\Brian Duignan.STU\Application Data\02000000fd68bee2S.manifest
c:\program files\INSTALL.LOG
c:\program files\Windows Police Pro
c:\windows\GnuHashes.ini
c:\windows\Installer\1128E.MSI
c:\windows\Installer\177c29.msp
c:\windows\Installer\177c30.msp
c:\windows\Installer\177c39.msp
c:\windows\Installer\177c3f.msp
c:\windows\Installer\177c57.msp
c:\windows\Installer\177c5c.msp
c:\windows\Installer\177c5d.msp
c:\windows\Installer\177c66.msp
c:\windows\Installer\177c7e.msp
c:\windows\Installer\177c83.msp
c:\windows\Installer\177c84.msp
c:\windows\Installer\1bd72.msi
c:\windows\Installer\1bd7a.msi
c:\windows\Installer\1bd82.msi
c:\windows\Installer\1bd87.msi
c:\windows\Installer\1bd8f.msi
c:\windows\Installer\1cdcc.msi
c:\windows\Installer\1cdd3.msi
c:\windows\Installer\1cfafc.msp
c:\windows\Installer\2f1f4.msi
c:\windows\Installer\2f1fa.msi
c:\windows\Installer\302ac7.msp
c:\windows\Installer\302acd.msp
c:\windows\Installer\302ad6.msp
c:\windows\Installer\302adc.msp
c:\windows\Installer\302ae5.msp
c:\windows\Installer\302ae6.msp
c:\windows\Installer\302aef.msp
c:\windows\Installer\302b09.msp
c:\windows\Installer\319e0d.msi
c:\windows\Installer\319e13.msi
c:\windows\Installer\3350f.msi
c:\windows\Installer\33532.msi
c:\windows\Installer\374b32.msp
c:\windows\Installer\374b50.msp
c:\windows\Installer\377a56.msp
c:\windows\Installer\377a7a.msp
c:\windows\Installer\377a82.msp
c:\windows\Installer\377a83.msp
c:\windows\Installer\3b1af9.msp
c:\windows\Installer\3b1b01.msp
c:\windows\Installer\3cb60.msi
c:\windows\Installer\3efa4.msp
c:\windows\Installer\43ba36.msp
c:\windows\Installer\43ba3c.msp
c:\windows\Installer\43ba42.msp
c:\windows\Installer\43ba48.msp
c:\windows\Installer\43ba51.msp
c:\windows\Installer\43ba66.msp
c:\windows\Installer\43ba6e.msp
c:\windows\Installer\454153e.msi
c:\windows\Installer\4541543.msi
c:\windows\Installer\48271c.msi
c:\windows\Installer\4bed5.msp
c:\windows\Installer\4bf11.msp
c:\windows\Installer\4bf20.msi
c:\windows\Installer\4bf25.msi
c:\windows\Installer\4bf2b.msi
c:\windows\Installer\5023b1.msi
c:\windows\Installer\576c2f5.msi
c:\windows\Installer\5ab76.msp
c:\windows\Installer\5ab81.msp
c:\windows\Installer\5ab9d.msp
c:\windows\Installer\5abb2.msp
c:\windows\Installer\8ce32e.msp
c:\windows\Installer\adf47.msi
c:\windows\Installer\ca7e4.msp
c:\windows\Installer\f00bc.msi
c:\windows\Installer\f00ef.msi
c:\windows\MailSwitch.ocx
c:\windows\system32\9.tmp
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\drivers\rotscxrvysdtxu.sys
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\GroupPolicyManifest\5.tmp
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\minix32.exe
c:\windows\system32\muzapp.exe
c:\windows\system32\rotscxakbqxwnw.dll
c:\windows\system32\rotscxbqjknirq.dll
c:\windows\system32\rotscxchhbgodp.dll
c:\windows\system32\rotscxempmhxxt.dll
c:\windows\system32\rotscxqctvvdlf.dat
c:\windows\system32\rotscxteppjylb.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\wispex.html
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rotscxouxdltko
-------\Legacy_rotscxouxdltko


((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-16 02:52 . 2009-10-16 02:52 -------- d-----w- c:\program files\Trend Micro
2009-10-16 02:47 . 2009-10-16 02:48 -------- d-----w- c:\program files\ERUNT
2009-10-11 21:01 . 2008-04-13 17:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-11 21:01 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-27 00:23 . 2009-09-27 00:23 -------- d-----w- c:\program files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 03:35 . 2008-07-17 18:52 10180 ----a-w- c:\windows\extend.dat
2009-10-10 19:40 . 2006-12-13 05:17 -------- d-----w- c:\program files\McAfee
2009-10-10 14:13 . 2004-01-03 21:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-16 21:12 . 2009-05-03 20:51 -------- d-----w- c:\documents and settings\Brian Duignan.STU\Application Data\HPAppData
2009-09-16 01:55 . 2009-09-16 01:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-07 00:24 . 2006-03-17 04:24 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-05-26 10:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2006-03-17 04:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-03-17 04:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2002-08-29 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-03-17 04:24 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2002-08-29 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2008-10-28 00:19 . 2008-10-28 00:18 0 -csha-w- c:\windows\SYSTEM32\110.tmp
2008-10-25 16:12 . 2008-10-25 15:18 0 -csha-w- c:\windows\SYSTEM32\121.tmp
2008-10-25 21:39 . 2008-10-25 21:38 0 -csha-w- c:\windows\SYSTEM32\1B1.tmp
2008-10-26 15:09 . 2008-10-26 15:09 0 -csha-w- c:\windows\SYSTEM32\311.tmp
2008-10-27 19:13 . 2008-10-27 17:08 0 -csha-w- c:\windows\SYSTEM32\42.tmp
2008-10-27 19:14 . 2008-10-27 19:14 0 -csha-w- c:\windows\SYSTEM32\64.tmp
2008-10-28 10:06 . 2008-10-28 10:05 0 -csha-w- c:\windows\SYSTEM32\79.tmp
2008-10-27 21:08 . 2008-10-27 21:07 0 -csha-w- c:\windows\SYSTEM32\B2.tmp
2008-10-27 21:15 . 2008-10-27 21:14 0 -csha-w- c:\windows\SYSTEM32\C5.tmp
2008-10-25 14:17 . 2008-10-25 13:16 0 -csha-w- c:\windows\SYSTEM32\CC.tmp
2008-10-27 23:19 . 2008-10-27 23:18 0 -csha-w- c:\windows\SYSTEM32\E3.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-24 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CARPService"="carpserv.exe" - c:\windows\SYSTEM32\carpserv.exe [2002-09-27 4608]

c:\documents and settings\Brian Duignan\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Handspring\HOTSYNC.EXE [2007-8-17 299008]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\Brian Duignan.STU\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
HotSync Manager.lnk - c:\program files\Handspring\HOTSYNC.EXE [2007-8-17 299008]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S0 Cdr4vsd;Cdr4vsd;c:\windows\SYSTEM32\DRIVERS\CDR4VSD.SYS [9/21/2006 9:38 PM 72032]
S2 mrtRate;mrtRate; [x]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\SYSTEM32\DRIVERS\el575ND5.sys [8/31/2007 11:20 PM 69692]
S3 SynasUSB;SynasUSB;c:\windows\SYSTEM32\DRIVERS\synasUSB.sys [12/25/2008 12:00 AM 18432]
S3 VisorUsb;Handspring USB;c:\windows\system32\DRIVERS\VisorUsb.sys --> c:\windows\system32\DRIVERS\VisorUsb.sys [?]
S3 WPC54GSv1;Linksys Wireless Notebook Adapter WPC54GSv1 Driver;c:\windows\SYSTEM32\DRIVERS\WPC54GSv1.SYS [11/30/2006 11:54 PM 610816]
S3 ZMHHPAudioSrv;ZOOM H Series High Performance Audio Driver Service;c:\windows\SYSTEM32\DRIVERS\zmhhpau.sys [3/28/2008 6:11 PM 89856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-13 02:26]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-13 02:26]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.earthlink.net/wam/login.jsp?redirect=/wam/index.jsp&x=1396779255
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-23581524 - c:\docume~1\ALLUSE~1.WIN\APPLIC~1\23581524\23581524.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
Notify-WgaLogon - (no file)
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 23:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-20 23:37
ComboFix-quarantined-files.txt 2009-10-20 04:37

Pre-Run: 4,719,693,824 bytes free
Post-Run: 4,993,380,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

- - End Of File - - 5C8A44C85737085D0430A021E2528CEA


*************
HJT Log
*************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:24 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.earthlink.net/wam/login.jsp?redirect=/wam/index.jsp&x=1396779255
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Yahoo! Chat -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142569454521
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142569425349
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_02) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.3.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 6609 bytes

 

[Shaba]

That is ok as combofix removed that rootkit

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

 

[Irwin]

Kaspersky's online scanner not available

Hi Shaba,

Kaspersky's website says their online scan is being updated / improved, and is not available. They suggest downloading their 30 day free trial of their full 2010 package. Is that what you want me to do? Is this going to conflict with my install of McAfee Total Protection? If I run the full trial version will I be able to do everything you wanted me to in your prior instructions?

After cleaning my machine is all finished do you recommend Kaspersky over McAfee for protection?

Much thnx,
Irwin

 

[Shaba]

No, please don't do that.

Use this instead:

• Please go here then click on:
  
  
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

 

[Irwin]

eset scan and hjt log

Hi Shaba,

here's are the two logs.

Thank you,
Irwin



********ESET*********

C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\23581524\23581524.exe.vir a variant of Win32/Kryptik.AVX trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\minix32.exe.vir probably unknown NewHeur_PE virus
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wispex.html.vir Win32/Adware.WinAntiVirus application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\rotscxrvysdtxu.sys.vir Win32/Olmarik.MB trojan



*********HJT***********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:00 PM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.earthlink.net/wam/login.jsp?redirect=/wam/index.jsp&x=1396779255
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Yahoo! Chat -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142569454521
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142569425349
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.3.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 7744 bytes

 

[Shaba]

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

 

[Irwin]

Empied Quarantine

Hi Shaba, :greeting:

I've deleted the files. I will turn on McAfee and TeaTimer and will start using my computer to see if there are any more problems, then will repost how things are going.

Do you have any recommendations re: things to read for me to best keep my computer as free from malware as possible?

Do you recommend any particular products? I am currently using McAfee Total Protection. Is there antivirus you prefer over McAfee, or can you point me to a resource to for me to choose what's best for me?

I am so grateful to you for your help. Your immediate responses to my postings were fantastic. I couldn't have asked for a better first experience doing this. Thank you Thank you Thank you :bigthumb: :angel: :bighug: (have never used these icons before - please forgive my getting carried away with them )

Will write back in a day or so to let you know the status. Have a great day.

Irwin

 

[Shaba]

OK, post back after a while and I will give you some recommendations and tips

 

[Irwin]

All is working great!! Thank you

Hi Shaba,

My system is infection free!!! Can't thank you enough for your terrific help!!!! :thanks:

You said you had some things I could read and some tips to help me reduce my exposure to infections. If you could send those to me I would greatly appreciate it. Also, do you have a preference of anti-virus software? I am currently using McAfee Total Protection.

Great Job!!!

Best wishes,
Irwin

 

[Shaba]

Good

McAfee is fine, no need to change.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
  You can use one of these sites to check if any updates are needed for your pc.
  Secunia Software Inspector
  F-secure Health Check
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
  
  Malwarebytes' Anti-Malware Setup Guide
  
  Malwarebytes' Anti-Malware Scanning Guide
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:

 

[Irwin]

I am running FireFox Mozilla

Hi Shaba,

Your instructions referred to IE. Do you have instructions for Mozilla?

As always, thank you,
Irwin

 

[Shaba]

Default settigs are fine

You can increase security by using NoScript and Adblock plus addons.

 

[Irwin]

going out of town - can u keep thread open

I haven't been able to complete the final steps before I go out of town. will be back Tues 11/3. can u keep the thead open thru next week?

You've done a great service for me Shaba - Thank you,

Irwin

 

[Shaba]

No problem

 

[Irwin]

further extension open date of thread?

Hi Shaba,

It turns out I'm going to be traveling through next week. Would it be possible to keep the thread open until I can get back on the steps you've passed olong to me. I should be able to get on it the weekend of 11/14 - 11/15? I hope this request isn't causing any difficulty for you Shaba. If it is please let me know how I can get back in touch with you. I'd really like to continue with you, if possible.

Very gratefully yours,
Irwin