Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus system pro- Rkill only runs when renamed


  • This topic is locked This topic is locked
45 replies to this topic

#1 kornhusker1

kornhusker1

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 24 November 2009 - 06:23 PM

Here is the link to the post and information from the Am I infected? forum...

http://www.bleepingcomputer.com/forums/t/273140/antivirus-system-pro-moved/


Thank you!!!!! :(

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 24 November 2009 - 07:06 PM

Hello.

Please post all replies from now on into this topic.

Download ComboFix onto your flash drive. Rename it to svchost.exe.
Link 1, Link 2

Also download the Recovery Console installation file onto the removable drive.
Go to Microsoft's Website and select the download that's appropriate for your Operating System. If you have SP3, use the SP2 download.

Move the files onto the infected computer's desktop.

Follow these directions on the infected computer.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Install Recovery Console and Run ComboFix
Drag the recovery console file over ComboFix (which should be named svchost.exe).
Posted Image

This shall start ComboFix.
  • You will see the prompts below to install the Recovery Console. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Copy the log onto the Flash drive and post it into this topic.

Run Scan with GMER
After, if you are able to run GMER...
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Tell me how it goes.

With Regards,
The Panda

#3 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 25 November 2009 - 12:20 AM

Thanks. I have virusscan enterprise ver. 8.5 and can not disable the on-access scan. Should I proceed anyway?

Thank you...

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 25 November 2009 - 07:48 PM

Hello.

Yes, go ahead with it. Hopefully won't be a problem.

With Regards,
The Panda

#5 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 November 2009 - 11:41 AM

Thanks Panda! I will try it when I get a minute and let you know!

Happy Thanksgiving. I am very thankful for your help!

#6 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 November 2009 - 03:43 PM

Here is the combo fix log... (Thanks! I will try to run a scan with GMER now)

ComboFix 09-11-24.02 - 1473970 11/26/2009 15:23.1.2 - x86
Running from: c:\documents and settings\1473970\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1473970\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\1473970\Application Data\inst.exe
c:\recycler\S-1-5-21-1935655697-484763869-839522115-1003
c:\recycler\S-1-5-21-1935655697-484763869-839522115-500
c:\windows\system32\ikodutuh.ini

.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-22 06:39 . 2009-11-24 01:07 -------- d-----w- c:\documents and settings\1473970\Local Settings\Application Data\fskppm
2009-11-21 04:28 . 2009-11-21 04:28 -------- d-----w- c:\windows\system32\winrm
2009-11-21 04:28 . 2009-11-21 04:28 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-10-31 12:21 . 2009-11-21 16:35 -------- d-----w- c:\documents and settings\1473970\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 20:31 . 2008-10-27 22:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-11-26 20:31 . 2008-10-27 12:55 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-11-24 00:36 . 2008-10-27 22:12 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-21 16:37 . 2009-07-17 21:03 -------- d-----w- c:\program files\Google
2009-11-16 21:42 . 2007-06-29 12:47 63365 ----a-w- c:\windows\system32\nvModes.dat
2009-11-13 18:21 . 2008-09-08 12:03 -------- d-----w- c:\program files\Microsoft Agent
2009-11-03 01:42 . 2009-10-03 02:11 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-14 17:38 . 2009-10-14 17:38 -------- d-----w- c:\documents and settings\student25\Application Data\HotSync
2009-10-14 17:37 . 2008-10-08 14:53 72304 ----a-w- c:\documents and settings\student25\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 21:23 . 2009-10-09 21:23 1107456 ------w- c:\windows\system32\WsmSvc.dll
2009-10-09 21:23 . 2009-10-09 21:23 178176 ------w- c:\windows\system32\wevtfwd.dll
2009-10-09 21:22 . 2009-10-09 21:22 368640 ------w- c:\windows\system32\WsmRes.dll
2009-10-09 21:22 . 2009-10-09 21:22 69632 ------w- c:\windows\system32\winrs.exe
2009-10-09 21:22 . 2009-10-09 21:22 42496 ------w- c:\windows\system32\pwrshplugin.dll
2009-10-09 19:56 . 2009-10-09 19:56 209408 ------w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 19:56 . 2009-10-09 19:56 14848 ------w- c:\windows\system32\wsmprovhost.exe
2009-10-09 19:56 . 2009-10-09 19:56 22528 ------w- c:\windows\system32\winrshost.exe
2009-10-09 19:56 . 2009-10-09 19:56 25088 ------w- c:\windows\system32\winrmprov.dll
2009-10-09 19:56 . 2009-10-09 19:56 12288 ------w- c:\windows\system32\wsmplpxy.dll
2009-10-09 19:56 . 2009-10-09 19:56 2048 ------w- c:\windows\system32\winrsmgr.dll
2009-10-09 19:56 . 2009-10-09 19:56 233984 ------w- c:\windows\system32\winrscmd.dll
2009-10-09 19:56 . 2009-10-09 19:56 225280 ------w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 19:56 . 2009-10-09 19:56 12288 ------w- c:\windows\system32\winrssrv.dll
2009-10-09 19:56 . 2009-10-09 19:56 139776 ------w- c:\windows\system32\WsmAuto.dll
2009-09-17 19:35 . 2009-09-17 19:35 13312 ----a-w- c:\windows\system32\diagdll.dll
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:34 . 2008-01-18 07:34 49152 ----a-w- c:\windows\system32\instw32.exe
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-17 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-03 185632]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-11-01 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-28 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-28 67584]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-04-28 81920]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\1473970\Start Menu\Programs\Startup\
Palm Registration.lnk - c:\program files\Palm\register.exe [2005-8-8 2494464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2006-8-16 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 2 (0x2)
"LogonType"= 0 (0x0)
"MaxGPOScriptWait"= 60 (0x3c)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= ares.exe
"2"= limewire.exe
"3"= morpheus.exe
"4"= morphexe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-149889\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-149889\Scripts\Logon\0\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-149889\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\scripts\apps\sps\MySite_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\1\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\1\2]
"Script"=\\rcsd.dom\NETLOGON\Days_Til_Expire.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\2\0]
"Script"=\\s000s01a\SYSVOL\rcsd.dom\scripts\S025_Administrative.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-18392\Scripts\Logon\3\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\0\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\0\2]
"Script"=\\rcsd.dom\NETLOGON\Days_Til_Expire.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\scripts\GenericStudentAccounts\GenericStudentAccts.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\1\1]
"Script"=\\rcsd.dom\netlogon\AlloyStudent.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26143\Scripts\Logon\2\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\scripts\apps\sps\MySite_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\1\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\1\2]
"Script"=\\rcsd.dom\NETLOGON\Days_Til_Expire.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\2\0]
"Script"=\\s000s01a\SYSVOL\rcsd.dom\scripts\S025_Administrative.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-26774\Scripts\Logon\3\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-32856\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-32856\Scripts\Logon\0\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-32856\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-39627\Scripts\Logon\0\0]
"Script"=\\s000s02a\NETLOGON\gpo_boot_fix_pol.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-39627\Scripts\Logon\0\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-81970\Scripts\Logon\0\0]
"Script"=\\rcsd.dom\NETLOGON\SceClie_fix_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-81970\Scripts\Logon\0\1]
"Script"=\\rcsd.dom\netlogon\UTLiteNT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-81970\Scripts\Logon\0\2]
"Script"=\\rcsd.dom\NETLOGON\Days_Til_Expire.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-1450960922-1417001333-81970\Scripts\Logon\1\0]
"Script"=\\rcsd.dom\NETLOGON\alloy.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 gupdate1ca07221cdc64ee;Google Update Service (gupdate1ca07221cdc64ee);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 133104]
R3 NETGEAR_WGM511_SERVICE;NETGEAR_WGM511_SERVICE Pre-N Wireless PC Card Service;c:\windows\system32\DRIVERS\wnihdd51.sys [2004-12-20 825856]
R3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [2007-11-02 767240]
R3 SQTECH913D;913D Camera;c:\windows\system32\Drivers\Capt913D.sys [2007-08-21 29824]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-17 21:03]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:03]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:03]

2009-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet/default.aspx
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted70
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-igLoader - c:\program files\igLoader\uninstall.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 15:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rpcnet.exe
c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2009-11-26 15:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 20:37

Pre-Run: 63,783,112,704 bytes free
Post-Run: 66,838,179,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E8C2C77122C898B237241E73C3B96500

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 26 November 2009 - 04:28 PM

Hello.

Happy thanksgiving to you.

Post GMER log when ready. If it takes too long, stop the scan and try again with the Files section unchecked.

This computer looks like a school or company machine. If this is the case, please note that ComboFix may have reset some policies.

With Regards,
The Panda

#8 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 November 2009 - 06:12 PM

Gmer was has been running for over 2 hours so I stopped the scan and rerun it. It seems to have freezed up while checking c:\\windows\system32\drivers\i8042prt.sys

should I force shut it down and retry?

#9 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 November 2009 - 06:26 PM

OK. Here is the GMER log... thanks!

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-26 18:21:51
Windows 5.1.2600 Service Pack 3
Running: c5h3iw7d.com; Driver: C:\DOCUME~1\1473970\LOCALS~1\Temp\pwlorfod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB4DB68BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB4DB683B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB4DB68E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB4DB684F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB4DB687B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB4DB690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB4DB6827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB4DB68CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB4DB6865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB4DB6891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB4DB68A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB4DB6925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB4DB68F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B4DB68FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B4DB68BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B4DB6913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B4DB6929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B4DB68D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B4DB68E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B4DB68AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP B4DB6895 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP B4DB6869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP B4DB683F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP B4DB6853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP B4DB687F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP B4DB682B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9350380, 0x2F2807, 0xE8000020]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xBAA82E34]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0069
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F32
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F4F
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EEB
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EFC
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0095
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD007A
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F17
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093007D
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930025
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930062
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F86
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FA1
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7007C
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70061
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70050
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F91
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FAC
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F4F
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F60
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F0F
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700A8
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70EFE
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70033
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F7008D
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70022
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70011
.text C:\WINDOWS\System32\svchost.exe[336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F2A
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60014
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60FA8
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F6005B
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60040
.text C:\WINDOWS\System32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F6002F
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F5004E
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50033
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\System32\svchost.exe[336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\System32\svchost.exe[336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0065
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F1D
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00A2
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0091
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EEE
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A004E
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0022
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\system32\wuauclt.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0014
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B006F
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0054
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0039
.text C:\WINDOWS\system32\wuauclt.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700AB
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F26
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F37
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700DA
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F63
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F50
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F61
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F72
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB9
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050029
.text C:\WINDOWS\system32\services.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0047
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0F52
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0F79
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FA5
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0069
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0F2D
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE009F
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F06
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE0EE1
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0F8A
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0058
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE0FC0
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE001B
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE0084
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD004A
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0FC3
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FDE
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD0039
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DD0F8D
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FD, 88]
.text C:\WINDOWS\system32\lsass.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0F9E
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0FA6
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0FC1
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FD2
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0027
.text C:\WINDOWS\system32\lsass.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC000C
.text C:\WINDOWS\system32\lsass.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0F8A
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC007F
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC006E
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC0F48
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F6F
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC0F0B
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F1C
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0EF0
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC009A
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0FD1
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F37
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB0040
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FD4
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0F83
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 88]
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0055
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA003A
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0029
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0018
.text C:\WINDOWS\system32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE006E
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0053
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00A6
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0095
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F43
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E6
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F5E
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00C1
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F6F
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F8A
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FAD
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FC8
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC002E
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC000C
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FD9
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC001D
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B10000
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B1009A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B10FA5
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B10FC0
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B10FD1
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B10062
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B100C6
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B100AB
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B10F59
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B100E8
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B10117
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B1007D
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B10025
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B10F8A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B10051
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B10040
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B100D7
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02A00F9E
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02A00040
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02A00FC3
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02A00FDE
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02A00F79
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02A00FEF
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02A00025
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02A0000A
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 029F0F92
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 029F0FAD
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 029F0FD2
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 029F0000
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 029F001D
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 029F0FE3
.text C:\WINDOWS\System32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029E0000
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 029C0FEF
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 029C0FD4
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 029C000A
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 029C0FB9
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F7C
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650071
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650F8D
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500B1
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650096
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650F33
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F4E
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F18
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650F6B
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006500C2
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640058
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640047
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00640FA5
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 88]
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FB6
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630F9E
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630033
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FCD
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C007F
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0064
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0053
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00A4
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0F5C
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00E1
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00C6
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0F37
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0F94
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0FCA
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0F79
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C00B5
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B0033
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B0F91
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B0022
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B0FA2
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007B0FBD
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 88]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B0044
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A005F
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0044
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A0029
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A000C
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F72
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F97
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00065
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00054
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F46
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F57
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F1A
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F35
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000CE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00025
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00082
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A000B3
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0047
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0F94
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F90
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FB5
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FD2
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B8009A
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80FA5
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80FB6
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F63
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B800AB
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F37
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F48
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80F1C
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80062
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F80
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800C6
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70040
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70FB9
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60055
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60029
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60044
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0090
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007F
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A006E
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00BC
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00A1
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E1
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F48
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00F2
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F80
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[3072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F59
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029005B
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290014
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[3072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FBC
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\Explorer.EXE[3072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0029
.text C:\WINDOWS\Explorer.EXE[3072] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3072] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3072] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[3072] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[3072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CE0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 26 November 2009 - 08:16 PM

Hello.

The infection appears to have been removed. Are you now able to run programs without the error message?

If so, please install and run MalwareBytes.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simply double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

What problems are still present?

With Regards,
The Panda

#11 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 27 November 2009 - 09:16 AM

The internet seems fine now and I am able to visit all sites, not just to log in screens like before. However, I tried to log on to safe mode for the heck of it and was unsuccessful. What type of malware was/is this? Thanks again for your time...

Here is the MBAM log from the quick scan...

Malwarebytes' Anti-Malware 1.41
Database version: 3242
Windows 5.1.2600 Service Pack 3

11/27/2009 9:11:21 AM
mbam-log-2009-11-27 (09-11-21).txt

Scan type: Quick Scan
Objects scanned: 137206
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by kornhusker1, 27 November 2009 - 09:30 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 27 November 2009 - 05:17 PM

Hello.

The infection symptoms were like that of a particular rouge program, though I can't be sure. Did you happen to get ads for fake antivirus programs?

Let's run a final scan before we wrap up.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Download and Run DDS
Please download DDS by sUBs from any of the links below:
DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.
Tell me if you run into any problems.

With Regards,
The Panda

#13 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 28 November 2009 - 09:22 PM

thanks. i will try tomorrow night when i get home

#14 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 29 November 2009 - 12:17 AM

Here is the Kapersky scan results...

Sunday, November 29, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 29, 2009 03:45:08
Records in database: 3306170


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area Critical areas
C:\Documents and Settings\1473970\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Objects scanned 74739
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:19:27

No threats found. Scanned area is clean.
Selected area has been scanned.

#15 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 29 November 2009 - 12:26 AM

DDS (Ver_09-11-29.01) - NTFSx86
Run by 1473970 at 0:18:58.45 on Sun 11/29/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet/default.aspx
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; (R1 1.5); .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" -"http://www.miniclip.com/games/skateboard-jam/en/"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\1473970\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-disallowrun: 1 = ares.exe
uPolicies-disallowrun: 2 = limewire.exe
uPolicies-disallowrun: 3 = morpheus.exe
uPolicies-disallowrun: 4 = morphexe.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: dontdisplaylockeduserid = 2 (0x2)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 60 (0x3c)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted70
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189696475011
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-26 20:19:23 0 d-sha-r- C:\cmdcons
2009-11-26 20:18:13 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 20:18:12 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 20:18:12 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 20:18:11 98816 ----a-w- c:\windows\sed.exe
2009-11-21 04:28:21 0 d-----w- c:\windows\system32\winrm
2009-11-21 04:28:10 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 15:12:31 3251 ----a-w- c:\windows\system32\wbem\Outlook_01ca66cf380e7888.mof

==================== Find3M ====================

2009-11-29 03:09:19 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-11-29 03:09:17 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-11-27 14:22:03 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-16 21:42:06 63365 ----a-w- c:\windows\system32\nvModes.dat
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-09 21:23:10 1107456 ------w- c:\windows\system32\WsmSvc.dll
2009-10-09 21:23:08 178176 ------w- c:\windows\system32\wevtfwd.dll
2009-10-09 21:22:58 368640 ------w- c:\windows\system32\WsmRes.dll
2009-10-09 21:22:56 69632 ------w- c:\windows\system32\winrs.exe
2009-10-09 21:22:52 42496 ------w- c:\windows\system32\pwrshplugin.dll
2009-10-09 19:56:20 209408 ------w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 19:56:18 14848 ------w- c:\windows\system32\wsmprovhost.exe
2009-10-09 19:56:16 22528 ------w- c:\windows\system32\winrshost.exe
2009-10-09 19:56:14 25088 ------w- c:\windows\system32\winrmprov.dll
2009-10-09 19:56:10 12288 ------w- c:\windows\system32\wsmplpxy.dll
2009-10-09 19:56:08 2048 ------w- c:\windows\system32\winrsmgr.dll
2009-10-09 19:56:06 233984 ------w- c:\windows\system32\winrscmd.dll
2009-10-09 19:56:04 225280 ------w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 19:56:04 12288 ------w- c:\windows\system32\winrssrv.dll
2009-10-09 19:56:02 139776 ------w- c:\windows\system32\WsmAuto.dll
2009-09-17 19:35:12 13312 ----a-w- c:\windows\system32\diagdll.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:34:08 49152 ----a-w- c:\windows\system32\instw32.exe
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 0:19:32.37 ===============






Thank you!!! :(

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users