Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USPS report.zip virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 sloop

sloop

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 06 January 2012 - 03:09 PM

i foolishly opened the USPS Report.zip attachment to an e/mail and got hit.

ran malwarebytes in safe mode - it quarantined these

PUM.Hidden.Desktop (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop
Rogue.FakeHDD (file) C:\Documents and Settings\All Users\Application Data\Atw5PRax1ShMBt.exe
Trojan.FakeAlert (file) C:\Documents and Settings\All Users\Local Settings\Temp\dubmnex.exe
PUM.Hijack.StartMenu (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedStart_ShowMyDocs
PUM.Hijack.StartMenu (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedStart_ShowControlPanel
PUM.Hijack.StartMenu (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedStart_ShowRun
PUM.Hijack.StartMenu (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancesStart_ShowHelp
Trojan.FakeAlert (registry value) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|19280
PUM.Hijack.StartMenu (registry data) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedStart_ShowSearch
Rogue.FakeHDD (file) C:\Documents and Settings\All Users\Application Data\AWteuGLwTAOiU.exe

i ran stinger and it found nothing
i ran mrt and it found nothing

i ran unhide and i can now see some of my desktop icons and (as best i know) all my files - it did not correct the start menu that is missing

as requested, i ran defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:29 on 06/01/2012 (Edmond)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

i have tried to run DDS - it seems to spawn a MBR.DAT process then hangs up

I downloaded GMER and got this error message when i started it

Load Driver ("C\Documen~\Edmond\LocalS~\Temp\kxtdipoc.sys") error 0x000010E: cannot create stable subkey under volitile parent key

the program starts with ONLY the Services, Registry, Files and ADS that can be checked- i ran the scan and the results are below

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-06 13:20:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Edmond\LOCALS~1\Temp\kxtdipoc.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Edmond\Cookies\PZZCCW2E.txt 89 bytes
File C:\Documents and Settings\Edmond\Cookies\R0U1XSFV.txt 872 bytes
File C:\Documents and Settings\Edmond\Cookies\9UUQYBH8.txt 495 bytes
File C:\Documents and Settings\Edmond\Cookies\KYUS7OXM.txt 3499 bytes
File C:\Documents and Settings\Edmond\Cookies\6BPQA8Y5.txt 113 bytes
File C:\Documents and Settings\Edmond\Cookies\6HUSGJRI.txt 225 bytes
File C:\Documents and Settings\Edmond\Cookies\CGN904S1.txt 101 bytes
File C:\Documents and Settings\Edmond\Cookies\3G4LY1Y7.txt 189 bytes
File C:\Documents and Settings\Edmond\Cookies\3HWJ8ZJS.txt 114 bytes
File C:\Documents and Settings\Edmond\Cookies\53FGNYHH.txt 110 bytes
File C:\Documents and Settings\Edmond\Cookies\OFWLVK4Z.txt 542 bytes
File C:\Documents and Settings\Edmond\Cookies\T0ZR6M27.txt 204 bytes

---- EOF - GMER 1.0.15 ----

i have also run OTL and will attach those logs

thank you for any help you can provide

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 12 January 2012 - 03:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/436647 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 January 2012 - 02:03 AM

this is a 32 bit xp/pro - i have the xp cd

i built the computer using an asus crosshair mobo
amd athlon 64 dual core 3.2mhz black edition
4 gig corsair memory
500 gig western digital black with 64 meg buffer

i do not overclock

i run mcafee and spysweeper

i have the drivers installed to run nvidia raid, but i do not currently run raid

i use perfectdisk for defragging (about once a month)

i use pcmatic to try to keep the registry and such clean

the crosshair has dual network adapters that are teamed

when i run dds, it seems to spawn a process MBR.DAT and the pc locks up - it remains that way for over 10 minutes, until i hit the reset button on the computer - this is true with mcafee firewall turned off and mcafee realtime scanning disabled and the router powered off - the spysweeper process remains active (when i issue a shutdown, it shuts doen the user interface task (spysweeperui.exe), but the spysweeper.exe remains active - it will not let me kill that process)

i ran the gmer program and when scanning the files, i got the blue screen - i hit the pc reset button and ran gmer again without the files checked - i will attach that log below and try to run it with the files checked

when the virus first hit, malwarebytes seemed to zap the ones in the post above - but i was still getting some redirects from yahoo search - i ran the scan in pcmatic and it flagged something called octogons - since then i have waited for help here, using the pc only for casual browsing and streaming tv

last night, the automatic windows update ran and restarted the pc - i got up and logged back in - there was a balloon that said something about malware, but it went away before i could get to my glasses

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-13 00:45:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Edmond\LOCALS~1\Temp\kxtdipoc.sys


---- System - GMER 1.0.15 ----

SSDT 8B946AF8 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xB6E054D0]
SSDT 8B946020 ZwCreateProcess
SSDT 8B946FA8 ZwCreateProcessEx
SSDT 8B946DC8 ZwCreateThread
SSDT 8B994368 ZwDeleteKey
SSDT 8B994188 ZwDeleteValueKey
SSDT 8B946B70 ZwQueueApcThread
SSDT 8B946A08 ZwReadVirtualMemory
SSDT 8B9942F0 ZwRenameKey
SSDT 8B946C60 ZwSetContextThread
SSDT 8B994278 ZwSetInformationKey
SSDT 8B946EB8 ZwSetInformationProcess
SSDT 8B946CD8 ZwSetInformationThread
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xB6E05520]
SSDT 8B946E40 ZwSuspendProcess
SSDT 8B946BE8 ZwSuspendThread
SSDT 8B946F30 ZwTerminateProcess
SSDT 8B946D50 ZwTerminateThread
SSDT 8B946A80 ZwWriteVirtualMemory

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7D1229E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7D121FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7D121D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7D121E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7D12274]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7D122B4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7D12288]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7D1228C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB61B6380, 0x8D6CD5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[352] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\WINDOWS\System32\svchost.exe[388] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 064E0FEF
.text C:\WINDOWS\System32\svchost.exe[388] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 064E0FD4
.text C:\WINDOWS\System32\svchost.exe[388] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 064E000A
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 064A0FEF
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 064A0F81
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 064A0076
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 064A0065
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 064A0054
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 064A0FB2
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 064A00BF
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 064A00AE
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 064A0F55
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 064A0F66
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 064A0109
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 064A0039
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 064A0FD4
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 064A0091
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 064A001E
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 064A0FC3
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 064A00DA
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0652001E
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 06520FA1
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 06520FCD
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 06520FDE
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0652005E
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 06520FEF
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 06520043
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 06520FB2
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 06510049
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!system 77C293C7 5 Bytes JMP 06510038
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0651001D
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 06510000
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 06510FBE
.text C:\WINDOWS\System32\svchost.exe[388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 06510FE3
.text C:\WINDOWS\System32\svchost.exe[388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 06500FEF
.text C:\WINDOWS\System32\svchost.exe[388] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 064F0000
.text C:\WINDOWS\System32\svchost.exe[388] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 064F001B
.text C:\WINDOWS\System32\svchost.exe[388] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 064F002C
.text C:\WINDOWS\System32\svchost.exe[388] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 064F0FD1
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910096
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0091007B
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0091006A
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910FA1
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910039
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F69
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910F86
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009100E7
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100CC
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009100F8
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FB2
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009100A7
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910FCD
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0091001E
.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00910F4E
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0095007D
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0095001B
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950062
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00950FC0
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B5, 88] {MOV CH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950051
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940F7F
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940F90
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940FAB
.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00940FD2
.text C:\WINDOWS\system32\svchost.exe[568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FB9
.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FD4
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F5E
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F6F
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B003D
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0011
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B009C
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B007F
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F1B
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00BE
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F00
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F8A
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B006E
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00AD
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F79
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F94
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0025
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0064
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0038
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0049
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 002D0FB2
.text C:\WINDOWS\Explorer.EXE[632] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02AD0000
.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F69
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0005E
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F7A
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00F97
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000AF
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00094
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F42
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000DB
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F27
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0001B
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00083
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C000C0
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20033
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01250FEF
.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01250FCA
.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01240000
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01240F8A
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0124007F
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01240FA5
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01240058
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01240FC0
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012400A4
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01240F68
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012400E4
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012400BF
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01240F30
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0124003D
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01240011
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01240F79
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01240FDB
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0124002C
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01240F41
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0128001B
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01280047
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01280000
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01280FD4
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01280F8A
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01280FA5
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [48, 89]
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0128002C
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01270053
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 01270038
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01270FC8
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01270027
.text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0127000C
.text C:\WINDOWS\system32\svchost.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FDB
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900082
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900067
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0090004A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900039
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FB2
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F5F
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F7C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F18
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F29
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900EFD
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FA1
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009000A7
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090001E
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FCD
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F44
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01110039
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01110F8D
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01110FDE
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01110FA8
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0111004A
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01110FCD
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA6
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0027
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00920FCA
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\services.exe[1512] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1512] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F41
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F52
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F6F
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D0002C
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00F94
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F04
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00F15
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00078
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00EE9
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00EC4
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D0001B
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00F26
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FA5
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FC0
.text C:\WINDOWS\system32\services.exe[1512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D00067
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F65
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9B
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F8B
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F9C
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC8
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FB7
.text C:\WINDOWS\system32\services.exe[1512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\lsass.exe[1536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\lsass.exe[1536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50F9C
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50091
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500E4
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C500BD
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F41
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F66
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F26
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C5006C
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C500AC
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\lsass.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F77
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E4003D
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FA5
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30038
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FAD
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FC8
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3001D
.text C:\WINDOWS\system32\lsass.exe[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3000C
.text C:\WINDOWS\system32\lsass.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0098
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0FA3
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE007D
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0062
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F6D
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F88
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00E1
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00D0
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00F2
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00B3
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F52
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02470025
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02470F94
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02470FD4
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02470FEF
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02470FA5
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0247000A
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02470047
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02470036
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02460FA1
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!system 77C293C7 5 Bytes JMP 02460FBC
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02460011
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02460000
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0246002C
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02460FE3
.text C:\WINDOWS\system32\svchost.exe[1772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02450000
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1004A
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10039
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F61
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F72
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FA8
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F30
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10078
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10EFA
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10093
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10EE9
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10F8D
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F15
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FAF
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50047
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FC3
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40029
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C4000C
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40044
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30000
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F4007B
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F86
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40054
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F97
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002F
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F44
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F61
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400C2
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400A7
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40F0E
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FA8
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4008C
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F4001E
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FCD
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F29
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80065
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80039
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FB2
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70F86
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70F97
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FB2
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\System32\svchost.exe[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\SearchIndexer.exe[2876] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3728] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 87ED4660
Device \Driver\Tcpip \Device\Ip 8B6EF0A8
Device \Driver\Tcpip \Device\Ip 8B716DA8

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 87ED4660
Device \Driver\Tcpip \Device\Tcp 8B6EF0A8
Device \Driver\Tcpip \Device\Tcp 8B716DA8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\Tcpip \Device\Udp 87ED4660
Device \Driver\Tcpip \Device\Udp 8B6EF0A8
Device \Driver\Tcpip \Device\Udp 8B716DA8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 87ED4660
Device \Driver\Tcpip \Device\RawIp 8B6EF0A8
Device \Driver\Tcpip \Device\RawIp 8B716DA8

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST 87ED4660
Device \Driver\Tcpip \Device\IPMULTICAST 8B6EF0A8
Device \Driver\Tcpip \Device\IPMULTICAST 8B716DA8

---- EOF - GMER 1.0.15 ----

#4 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 January 2012 - 02:11 AM

i also ran defogger as requested

#5 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 January 2012 - 03:29 AM

i tried gmer a second time with files checked - same result - blue screen

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 PM

Posted 13 January 2012 - 09:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's try aswMBR instead of Gmer

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 January 2012 - 10:36 PM

thanks for the help

aswMBR log

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-13 20:53:55
-----------------------------
20:53:55.000 OS Version: Windows 5.1.2600 Service Pack 3
20:53:55.000 Number of processors: 2 586 0x4303
20:53:55.000 ComputerName: TEXAS UserName:
20:53:57.109 Initialize success
20:54:39.078 AVAST engine defs: 12011301
20:55:28.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
20:55:28.421 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 8
20:55:28.421 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7df040e
20:55:28.421 Disk 0 MBR read successfully
20:55:28.421 Disk 0 MBR scan
20:55:28.468 Disk 0 Windows XP default MBR code
20:55:28.468 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
20:55:28.500 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 976768065
20:55:28.531 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
20:55:28.531 Disk 0 scanning sectors +976773152
20:55:28.843 Disk 0 scanning C:\WINDOWS\system32\drivers
20:55:47.687 Service scanning
20:55:48.875 Modules scanning
20:55:52.109 Disk 0 trace - called modules:
20:55:52.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
20:55:52.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b9989c0]
20:55:52.109 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000008d[0x8b944730]
20:55:52.109 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port3Path0Target0Lun0[0x8b99c030]
20:55:52.843 AVAST engine scan C:\WINDOWS
20:56:15.984 AVAST engine scan C:\WINDOWS\system32
20:58:49.953 AVAST engine scan C:\WINDOWS\system32\drivers
20:59:07.750 AVAST engine scan C:\Documents and Settings\Edmond
21:25:19.109 AVAST engine scan C:\Documents and Settings\All Users
21:32:13.921 Scan finished successfully
21:32:34.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Edmond\Desktop\MBR.dat"
21:32:34.156 The log file has been saved successfully to "C:\Documents and Settings\Edmond\Desktop\aswMBR.txt"

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 PM

Posted 14 January 2012 - 10:46 AM

The rootkit has added an infected partition to your hard drive so we're going to remove it

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Boot the computer from the CD
  • Press Tool at the top
  • Choose Open Terminal
  • Type parted /dev/sda set 1 boot on
  • Press Enter
  • Type parted /dev/sda rm 2
  • Press Enter
  • Now reboot without xPUD and run aswMBR and post the log

Posted Image
m0le is a proud member of UNITE

#9 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 January 2012 - 01:42 PM

whew - glad that partition is gone

i had to log in as an alternate user to run the getxpud to download and create a usable boot cd - xpud might have changed but the xterm terminal option is not hard to find - and the commands were successful

below is the new aswMBR log

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-14 11:58:42
-----------------------------
11:58:42.093 OS Version: Windows 5.1.2600 Service Pack 3
11:58:42.093 Number of processors: 2 586 0x4303
11:58:42.093 ComputerName: TEXAS UserName:
11:58:43.265 Initialize success
11:59:09.390 AVAST engine defs: 12011401
11:59:15.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
11:59:15.296 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 8
11:59:15.296 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7df040e
11:59:15.296 Disk 0 MBR read successfully
11:59:15.296 Disk 0 MBR scan
11:59:15.343 Disk 0 Windows XP default MBR code
11:59:15.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
11:59:15.343 Disk 0 scanning sectors +976768065
11:59:15.375 Disk 0 scanning C:\WINDOWS\system32\drivers
11:59:34.375 Service scanning
11:59:36.265 Modules scanning
11:59:38.796 Disk 0 trace - called modules:
11:59:38.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
11:59:38.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b9989c0]
11:59:38.828 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000008d[0x8b944730]
11:59:38.828 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port3Path0Target0Lun0[0x8b99c030]
11:59:39.296 AVAST engine scan C:\WINDOWS
12:00:03.031 AVAST engine scan C:\WINDOWS\system32
12:02:49.031 AVAST engine scan C:\WINDOWS\system32\drivers
12:03:11.718 AVAST engine scan C:\Documents and Settings\Edmond
12:30:29.234 AVAST engine scan C:\Documents and Settings\All Users
12:36:42.968 Scan finished successfully
12:36:57.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Edmond\Desktop\MBR.dat"
12:36:57.328 The log file has been saved successfully to "C:\Documents and Settings\Edmond\Desktop\aswMBR2.txt"

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 PM

Posted 14 January 2012 - 05:52 PM

Now we need to check if the rootkit let anything else in


Please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#11 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 January 2012 - 06:39 PM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Edmond :: TEXAS [administrator]

1/14/2012 3:11:59 PM
mbam-log-2012-01-14 (15-11-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 693328
Time elapsed: 2 hour(s), 17 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 PM

Posted 14 January 2012 - 08:23 PM

That seems in order. Run the ESET scanner

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.


Please also let me know how the machine is behaving now.
Posted Image
m0le is a proud member of UNITE

#13 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 January 2012 - 09:12 PM

i am running the eset scanner now

the pc seems ok - as best i can tell - before i posted here i ran unhide - it caused the files to show and most of my desktop icons - but under all programs, many are missing - and the ones listed show (Empty) instead of the programs

#14 sloop

sloop
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 January 2012 - 11:59 PM

C:\Documents and Settings\Edmond\Application Data\Free Download Manager\Update\fdminst.exe Win32/OpenCandy application deleted - quarantined

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 PM

Posted 15 January 2012 - 01:11 PM

Click this link and run the program. This should restore the Start menu to its default settings.

See how that goes.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users