Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Termination


  • Please log in to reply
36 replies to this topic

#1 icy_bliss_magic

icy_bliss_magic

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 07 March 2008 - 02:27 PM

i have a spyware or maybe malware [not entirely sure] but i do know the name of the process
it is called indt2.sys it plays random soundclips but i dont think it does any more harm than that (although i shouldnt think so)
when it plays soundclips of ads nobody wants to hear its CPU can rise up from 00-05 to 88-95

i am not completely sure if this is its fault, but i have been experiencing my firefox terminating at my mcafee siteadvisor and whenever i try to enter the thread preparation guide for use before posting a hijackthis log on this site, as well as leafing through my old threads.

my mcafee has been acting wierd too. it cannot update properly, and i cannot enter the program (but i will try and reinstall that.)

what should i do?

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 07 March 2008 - 04:05 PM

This process is a Rootkit. Your McAfee is probably non functional.

Here is a writeup on that process: http://www.prevx.com/filenames/X1421215510.../INDT2.SYS.html

Please do an online scan with Kaspersky WebScanner.
  • Hold down your "Shift" key and click on this link: Kaspersky WebScanner, to open the Kaspersky WebScanner in a new window.
  • Click on "Kaspersky Online Scanner".
    • You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "NEXT".
  • Now click on "Scan Settings".
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Under select a target to scan, select "My Computer".
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Upon completion, click on the "Save as Text" button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
  • Please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  • Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 07 March 2008 - 04:17 PM

Im sorry, I forgot to mention. The Kaspersky scan has to be done in Internet Explorer.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 07 March 2008 - 05:41 PM

ahhhhh
i cant open kaspersky scan, for some reason the internet terminates every time it opens the link (in both IE and firefox.)

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 07 March 2008 - 06:16 PM

Can you do GMER?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 08 March 2008 - 02:07 AM

GMER works just fine:

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-08 02:04:30
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF83F9818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF83F97D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF83EDA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF83EE2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF83F9910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF83F9794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF83EE2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF83F9866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF83F90B0]
SSDT sptd.sys ZwSetValueKey [0xF84314AA]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0xB6EB1660]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6DD5982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6DD592D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6DD5946]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6DD5A2E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6DD5A5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6DD59C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6DD5AF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6DD5900]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6DD5914]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6DD5996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6DD5A9C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6DD5A44]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6DD5B19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6DD5B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6DD596E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6DD595A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6DD59F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6DD5ADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6DD59D8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6DD59AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F9B8D 7 Bytes JMP B6DD59B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056CD4D 5 Bytes JMP B6DD595E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 80570BF8 5 Bytes JMP B6DD5986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80572EF1 5 Bytes JMP B6DD59DC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057336C 7 Bytes JMP B6DD59C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80573D06 5 Bytes JMP B6DD5904 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805740B5 7 Bytes JMP B6DD599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80582E82 7 Bytes JMP B6DD594A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 80585740 5 Bytes JMP B6DD59F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058D806 5 Bytes JMP B6DD5918 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80591E16 5 Bytes JMP B6DD5AF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80594AAC 7 Bytes JMP B6DD5A5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80596136 7 Bytes JMP B6DD5A32 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B1AA4 5 Bytes JMP B6DD5931 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062D403 5 Bytes JMP B6DD5972 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064D042 5 Bytes JMP B6DD5B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D317 7 Bytes JMP B6DD5ADF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064DBE4 7 Bytes JMP B6DD5AA0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E029 7 Bytes JMP B6DD5A48 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064E51E 5 Bytes JMP B6DD5B1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\drivers\sptd.sys 程序無法存取檔案,因為檔案正由另一個程序使用。
.text USBPORT.SYS!DllUnload F7AC662C 5 Bytes JMP 8209B770
? System32\Drivers\aaj1xjwl.SYS 系統找不到指定的檔案。 !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A00F52
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A00F63
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A0003D
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A00F80
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A00022
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A00F2B
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A00073
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A00EFF
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A00F10
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A00EE4
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A00F9B
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A00062
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A00FC0
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A00084
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 009F0014
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 009F0F57
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 009F0F72
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 009F0F83
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0007006E
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700D5
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070101
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 000700E6
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[596] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AD006C
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AD005B
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AD0040
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AD002F
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AD0FA8
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AD0F3F
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AD0087
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AD00C0
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AD0F1D
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00AD0F0C
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00AD0F8D
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00AD0F5C
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00AD0014
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00AD0F2E
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 00AC0087
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 00AC006C
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 00AC0051
.text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01100F7C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01100F8D
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01100F9E
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0110005B
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01100FC3
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01100F50
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01100F61
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 011000B3
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01100F1A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01100F09
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0110004A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01100FE5
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0110008C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01100FD4
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01100025
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01100F2B
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 010F0FC3
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 010F0FA1
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 010F0FD4
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 010F0FE5
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 010F0FB2
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 010F0054
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 010F0000
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 010F0039
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71A13B91 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A60047
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A60036
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A60F68
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A60025
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A60F9E
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A60F10
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A60062
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A60EE4
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A60073
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A6008E
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A60F83
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A60F37
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A60FB9
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A60FD4
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A60EFF
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 00A50036
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 00A5007D
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 00A50014
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 00A5006C
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02720FEF
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02720071
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02720F7C
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02720F8D
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02720F9E
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02720036
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0272008C
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02720F50
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02720F22
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 027200B1
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 027200CC
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02720FAF
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02720FDE
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02720F61
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02720025
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02720014
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02720F33
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 02330FB9
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 02330F79
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 0233000A
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 02330FD4
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 02330036
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 02330F94
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 02330FE5
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 0233001B
.text C:\WINDOWS\System32\svchost.exe[900] WS2_32.dll!socket 71A13B91 5 Bytes JMP 01B1000A
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenW 7668AF29 5 Bytes JMP 01B20FDE
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenA 7669578E 5 Bytes JMP 01B20FEF
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenUrlA 76695A5A 5 Bytes JMP 01B20016
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenUrlW 766A5B72 5 Bytes JMP 01B20FC3
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F68
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C005D
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C0F83
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008C0036
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008C0025
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C0F46
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C0F57
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C00D5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C00BA
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008C00E6
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008C0F94
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008C0FD4
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008C0082
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008C0014
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008C0FB9
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008C00A9
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 008B0F9E
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 008B0040
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 008B0FDE
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 008B0025
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 008B0F83
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00800FEF
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A006E
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0053
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A00B7
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A009A
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00E3
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F4A
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A00F4
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0089
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A00C8
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 002D005B
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 002D0040
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 002D0F9E
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 002D0000
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 002D002F
.text C:\WINDOWS\System32\svchost.exe[984] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00820FE5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00ED0F81
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00ED0F9C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00ED0076
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00ED0FB9
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00ED0FCA
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00ED00B8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00ED0091
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00ED0F3A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00ED0F4B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00ED00EE
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00ED005B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00ED0F66
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00ED0FDB
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00ED00C9
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 00850FAF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 00850F57
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 00850FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 00850F72
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 00850F83
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 00850F9E
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71A13B91 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenW 7668AF29 5 Bytes JMP 00830FEF
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenA 7669578E 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 76695A5A 5 Bytes JMP 00830027
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 766A5B72 5 Bytes JMP 00830FD4
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01E70FEF
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01E7005B
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E70F66
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01E70F77
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01E70F94
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01E70040
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01E70F2E
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01E70F4B
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01E700A5
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01E70F0C
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01E700C0
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01E70FB9
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01E70014
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01E70076
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01E70FDE
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01E70025
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01E70F1D
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 01E60FCA
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 01E60F86
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 01E6001B
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 01E6000A
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 01E60F97
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 01E60FA8
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 01E60FEF
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 01E60FB9
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenW 7668AF29 5 Bytes JMP 01E40011
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenA 7669578E 5 Bytes JMP 01E40000
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlA 76695A5A 5 Bytes JMP 01E4002C
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlW 766A5B72 5 Bytes JMP 01E4003D
.text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!socket 71A13B91 5 Bytes JMP 01DE000A
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B009F
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0073
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00CD
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B00BC
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0103
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00E8
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0F4F
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F8F
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F6A
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegOpenKeyExW 77DA6A78 5 Bytes JMP 002F0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegCreateKeyExW 77DA7535 5 Bytes JMP 002F0065
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegOpenKeyExA 77DA761B 5 Bytes JMP 002F0025
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegOpenKeyW 77DA770F 5 Bytes JMP 002F0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegCreateKeyExA 77DAEAF4 5 Bytes JMP 002F0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegCreateKeyW 77DC8F7D 5 Bytes JMP 002F004A
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes JMP 002F000A
.text C:\WINDOWS\system32\wuauclt.exe[3128] ADVAPI32.dll!RegCreateKeyA 77DCD5BB 5 Bytes JMP 002F0FCD

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F844206C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8442018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84649AE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F844129A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8235A1E8
Device \FileSystem\Ntfs \Ntfs 82184F70

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 820B6790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 823D61E8
Device \Driver\dmio \Device\DmControl\DmConfig 823D61E8
Device \Driver\dmio \Device\DmControl\DmPnP 823D61E8
Device \Driver\dmio \Device\DmControl\DmInfo 823D61E8
Device \Driver\usbuhci \Device\USBPDO-1 820B6790
Device \Driver\usbuhci \Device\USBPDO-2 820B6790
Device \Driver\usbuhci \Device\USBPDO-3 820B6790
Device \Driver\usbehci \Device\USBPDO-4 820B7790

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8235D1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8235D1E8
Device \FileSystem\Rdbss \Device\FsWrap 820BE370
Device \Driver\Ftdisk \Device\HarddiskVolume3 8235D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 81ECB898
Device \Driver\atapi \Device\Ide\IdePort0 81ECB898
Device \Driver\atapi \Device\Ide\IdePort1 81ECB898
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 81ECB898
Device \Driver\NetBT \Device\NetBt_Wins_Export 81CE1790
Device \Driver\PCI_NTPNP4752 \Device\0000004b sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb 81CE1790
Device \FileSystem\Srv \Device\LanmanServer 81D33BF0

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 820B6790
Device \Driver\usbuhci \Device\USBFDO-1 820B6790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81F333F8
Device \Driver\usbuhci \Device\USBFDO-2 820B6790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81F333F8
Device \Driver\usbuhci \Device\USBFDO-3 820B6790
Device \FileSystem\Npfs \Device\NamedPipe 81F0BFB0
Device \Driver\usbehci \Device\USBFDO-4 820B7790
Device \Driver\Ftdisk \Device\FtControl 8235D1E8
Device \FileSystem\Msfs \Device\Mailslot 8202A8A0
Device \Driver\viasraid \Device\Scsi\viasraid1 823D51E8
Device \Driver\aaj1xjwl \Device\Scsi\aaj1xjwl1Port4Path0Target0Lun0 81D35AB0
Device \Driver\aaj1xjwl \Device\Scsi\aaj1xjwl1 81D35AB0
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 81F7A448
Device \Driver\d347prt \Device\Scsi\d347prt1 81F7A448
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 81F86DE0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 81F86DE0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 81F86DE0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 81F86DE0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 81F86DE0
Device \FileSystem\Cdfs \Cdfs 81E8C790
Device \FileSystem\Cdfs \Cdfs 820BF298

---- Modules - GMER 1.0.14 ----

Module _________ F8350000-F8368000 (98304 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:2164 B5EEEDFA
Thread 4:2168 B5EEEE09
Thread 4:2172 B5EEEE09
Thread 4:2176 B5EEEE09
Thread 4:2180 B5EEEE09
Thread 4:2184 B5EEEE09

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@ 1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0xB0 0x94 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6B 0xCB 0x0C 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD7 0x48 0xD5 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@ 1?
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0xB0 0x94 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6B 0xCB 0x0C 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD7 0x48 0xD5 0xF5 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@ "C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@Kb "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@Kb "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@P`? "C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@ "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\ac "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@>e'Y "C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@?OY "C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@ "C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?d?[?
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?d?[?@ {67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?d?[?@Description ??????????? Windows????????????????????????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?d?[?@Display ???????????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?d?[?@IconPath %SystemRoot%\system32\osuninst.EXE,0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users.WINDOWS\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\Administrator\\x300c
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@0}\16f? 32904
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@ 136
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@\31jwi? \0(\0T\0r\0u\0e\0T\0y\0p\0e\0)\0 KAIU.TTF
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@0}\16f? \0&\0 \0 MINGLIU.TTC
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\SoundMAX Digital Audio\??
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\SoundMAX Digital Audio\??@LineStates 0x00 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\#
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\#@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\_U
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\_U@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\J?j4X
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\J?j4X@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups@J?j4X ??????\???
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\@SaveSettings 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\:flowers:
ghV
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\:thumbsup:
ghV@SaveSettings 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\O(u
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\O(u@SaveSettings 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\@SaveSettings 1

---- EOF - GMER 1.0.14 ----


******some characters cannot be seen because my OS is a taiwanese version of windowsxp.

#7 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 08 March 2008 - 02:11 AM

for this does it mean that i am free of the rootkit?
is there more to be done?
can i access sites without termination now?

i do want to thank you ahead of any more instruction, though. C:

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 08 March 2008 - 10:27 AM

Alright, I need a minute to look at this.

******some characters cannot be seen because my OS is a taiwanese version of windowsxp.

Thanks for letting me know about that.

While Im going through this, please see if you can do a scan at http://eset.com/onlinescan

Billy3

Edit: No, you still have the rootkit. GMER only detects the rootkit, it doesnt do anything about removing it.

Edited by Billy O'Neal, 08 March 2008 - 10:28 AM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 08 March 2008 - 10:38 AM

Do you use DAEMON Tools or Alcohol 120%

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 March 2008 - 04:26 PM

you're welcome, and yes i use both DAEMON (an old version, before the adware) and Alcohol.

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 09 March 2008 - 04:30 PM

Did eset.com/onlinescan work?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 March 2008 - 09:03 PM

yes it did, it found threats (and deleted)
but i couldnt find out how to send a detailed report...

the scan in total took about 4 hours (phew!) it checked all drives (C,D,E)
found 5 threats in C: and none in the others.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:02 PM

Posted 09 March 2008 - 09:31 PM

The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start → Run dialog box from the Start Menu on the desktop.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 icy_bliss_magic

icy_bliss_magic
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 March 2008 - 09:48 PM

found it.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2932 (20080309)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=20fee344741f2448948bf9be82e47dba
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-10 01:24:03
# local_time=2008-03-09 09:24:03 )
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=459506
# found=5
# scan_time=13509
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\R8PUZOBS\jump[78].htm VBS/DelWsock.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Outlook Express\svchost.exe Win32/TrojanDownloader.Delf.DTT trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Indt2.sys a variant of Win32/TrojanClicker.VB.NDJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\routing.exe Win32/TrojanDownloader.Delf.OBC trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\WINDOWS\system32\tmp0_355954594596.bk a variant of Win32/TrojanDownloader.Delf.DSX trojan (unable to clean - deleted) 00000000000000000000000000000000


edit: i've got the scariest feeling that i havent fixed anything.

Edited by icy_bliss_magic, 10 March 2008 - 12:14 AM.


#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:02 PM

Posted 10 March 2008 - 07:38 AM

Reboot, and see if this file still exists:
C:\WINDOWS\system32\routing.exe

Also, are things still not running right?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users