Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal


  • This topic is locked This topic is locked
37 replies to this topic

#1 bigj123454321

bigj123454321

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 17 February 2012 - 08:53 PM

I have 3 partitions: C: System reserved D: Windows 7 and E: Windows XP

Windows XP is infected. My browser will take me to different ad websites, and my virus scanner will not even detect anything
Here is the DDS scan log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Jared at 15:13:03 on 2012-02-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3005.2407 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
e:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
E:\WINDOWS\Explorer.EXE
svchost.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\svchost.exe -k hpdevmgmt
E:\WINDOWS\system32\svchost.exe -k HPService
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\mfevtps.exe
E:\WINDOWS\System32\svchost.exe -k NecUsb3Sevic
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
E:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxsrvc.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
E:\Program Files\IDT\WDM\sttray.exe
E:\WINDOWS\system32\AESTFltr.exe
E:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files\McAfee.com\Agent\mcagent.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wbem\wmiapsrv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
E:\Program Files\Mozilla Firefox\plugin-container.exe
E:\WINDOWS\System32\svchost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - e:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - e:\program files\aol toolbar\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - e:\program files\common files\mcafee\systemcore\ScriptSn.20110808163845.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - e:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - e:\program files\aol toolbar\aoltb.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - e:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [IgfxTray] e:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [Persistence] e:\windows\system32\igfxpers.exe
mRun: [TrueImageMonitor.exe] "e:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "e:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [UnlockerAssistant] "e:\program files\unlocker\UnlockerAssistant.exe"
mRun: [<NO NAME>]
mRun: [mcui_exe] "e:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [APSDaemon] "e:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - e:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{71D0F761-BF15-436A-8053-9FDAA3DCDC1F} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - e:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - e:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\jared\application data\mozilla\firefox\profiles\116kk2yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.type - 4
FF - component: e:\documents and settings\jared\application data\mozilla\firefox\profiles\116kk2yk.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\MailUtil.dll
FF - component: e:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: e:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: e:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: e:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: e:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: e:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: e:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;e:\windows\system32\drivers\mfehidk.sys [2011-3-13 459728]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);e:\windows\system32\drivers\tdrpm273.sys [2010-12-28 752128]
R1 mfetdi2k;McAfee Inc. mfetdi2k;e:\windows\system32\drivers\mfetdi2k.sys [2011-8-8 84200]
R2 afcdpsrv;Acronis Nonstop Backup service;e:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-12-28 3975088]
R2 McMPFSvc;McAfee Personal Firewall Service;e:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-8 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;e:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-8 271480]
R2 McProxy;McAfee Proxy Service;e:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-8 271480]
R2 McShield;McShield;e:\program files\common files\mcafee\systemcore\mcshield.exe [2011-8-8 171168]
R2 mfefire;McAfee Firewall Core Service;e:\program files\common files\mcafee\systemcore\mfefire.exe [2011-8-8 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;e:\windows\system32\mfevtps.exe [2011-8-8 148520]
R2 NecUsb3;USB3 Service;e:\windows\system32\svchost.exe -k NecUsb3Sevic [2004-8-4 14336]
R2 PaceLicenseDServices;PACE License Services;e:\program files\common files\pace\services\licenseservices\LDSvc.exe [2010-11-8 2647552]
R3 AESTAud;AE Audio Service;e:\windows\system32\drivers\AESTAud.sys [2010-12-28 108160]
R3 afcdp;afcdp;e:\windows\system32\drivers\afcdp.sys [2010-12-28 163232]
R3 cfwids;McAfee Inc. cfwids;e:\windows\system32\drivers\cfwids.sys [2011-8-8 56064]
R3 CLEDX;Team H2O CLEDX service;e:\windows\system32\drivers\cledx.sys [2011-5-19 33792]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;e:\windows\system32\drivers\k57xp32.sys [2010-12-26 176640]
R3 mfeavfk;McAfee Inc. mfeavfk;e:\windows\system32\drivers\mfeavfk.sys [2011-8-8 153280]
R3 mfebopk;McAfee Inc. mfebopk;e:\windows\system32\drivers\mfebopk.sys [2011-8-8 52320]
R3 mfefirek;McAfee Inc. mfefirek;e:\windows\system32\drivers\mfefirek.sys [2011-8-8 314088]
R3 mfendiskmp;mfendiskmp;e:\windows\system32\drivers\mfendisk.sys [2011-8-8 88736]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;e:\windows\system32\drivers\OA008Ufd.sys [2010-12-26 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;e:\windows\system32\drivers\OA008Vid.sys [2010-12-26 269536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dualshock3;SIXAXIS/DUALSHOCK3 DX (USB) Beta;e:\windows\system32\drivers\dualshock3.sys [2011-7-27 22912]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2011-9-13 136176]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2011-9-13 136176]
S3 iLokDrvr;Usb Driver;e:\windows\system32\drivers\iLokDrvr.sys [2010-11-3 21112]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;e:\windows\system32\drivers\mfendisk.sys [2011-8-8 88736]
S3 mferkdet;McAfee Inc. mferkdet;e:\windows\system32\drivers\mferkdet.sys [2011-8-8 84488]
S3 osppsvc;Office Software Protection Platform;e:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2012-09-29 18:25:30 -------- d-----w- e:\program files\CCleaner
2012-02-14 15:12:39 0 --sha-w- e:\windows\system32\dds_trash_log.cmd
2012-02-14 15:04:31 37888 ----a-w- e:\windows\system32\USB3Sw32.dll
2012-02-14 15:04:31 156672 ----a-w- e:\windows\system32\NCUSBw32.dll
.
==================== Find3M ====================
.
2011-11-30 20:13:35 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- e:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- e:\windows\system32\win32k.sys
.
============= FINISH: 15:13:43.59 ===============






Here is the gmer log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-17 16:41:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9500420ASG rev.0003SDM1
Running: lc57fv43.exe; Driver: E:\DOCUME~1\Jared\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9ED0D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED0D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED0DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED0E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED0D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED0D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED0D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED0D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED0DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9ED0DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED0E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED0E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED0DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8082DB08 7 Bytes JMP B9ED0DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 808DB03A 7 Bytes JMP B9ED0E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 808DBE48 5 Bytes JMP B9ED0E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 808E962E 5 Bytes JMP B9ED0DE0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 808F4440 5 Bytes JMP B9ED0D38 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 808F46CC 5 Bytes JMP B9ED0D4C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 808FB9E2 5 Bytes JMP B9ED0E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8094B662 7 Bytes JMP B9ED0DCA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8094CB12 7 Bytes JMP B9ED0D9E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8094D0F0 5 Bytes JMP B9ED0D74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8094D58C 7 Bytes JMP B9ED0D88 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8094D75C 7 Bytes JMP B9ED0DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8094E4CE 5 Bytes JMP B9ED0D60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ipsec.sys A7A82000 19 Bytes [A7, FF, B5, 04, FF, FF, FF, ...]
.text ipsec.sys A7A82015 7 Bytes [57, 1B, DB, 81, E3, C0, 03]
.text ipsec.sys A7A8201D 90 Bytes [00, 83, C3, 40, 53, 68, 5C, ...]
.text ipsec.sys A7A82078 163 Bytes [B5, 04, FF, FF, FF, E8, 9A, ...]
.text ipsec.sys A7A8211C 41 Bytes [6F, 00, 6E, 00, 74, 00, 72, ...]
.text ...
? E:\DOCUME~1\Jared\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text E:\WINDOWS\system32\svchost.exe[232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01970000
.text E:\WINDOWS\system32\svchost.exe[232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01970FE5
.text E:\WINDOWS\system32\svchost.exe[232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01970025
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01960000
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01960098
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01960FA3
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01960087
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0196006C
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01960051
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 019600C9
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01960F81
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01960F55
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01960F66
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!GetProcAddress 7C80AE40 1 Byte [E9]
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01960F44
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01960FCA
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01960011
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01960F92
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01960040
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01960FE5
.text E:\WINDOWS\system32\svchost.exe[232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 019600E4
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01AD0022
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01AD0F91
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01AD0011
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01AD0000
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01AD004E
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01AD0FE5
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01AD003D
.text E:\WINDOWS\system32\svchost.exe[232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01AD0FC0
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01AC0053
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!system 77C293C7 5 Bytes JMP 01AC0042
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01AC001D
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01AC000C
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01AC0FD2
.text E:\WINDOWS\system32\svchost.exe[232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01AC0FEF
.text E:\WINDOWS\system32\svchost.exe[232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01AB0FE5
.text E:\WINDOWS\system32\svchost.exe[232] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 01AA000A
.text E:\WINDOWS\system32\svchost.exe[232] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 01AA0FEF
.text E:\WINDOWS\system32\svchost.exe[232] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 01AA0FD4
.text E:\WINDOWS\system32\svchost.exe[232] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 01AA0FC3
.text E:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DC0000
.text E:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC002C
.text E:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC001B
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB000A
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F5F
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F70
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB004A
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0F8D
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0025
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB008C
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB006F
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0EFD
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F0E
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB00A7
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0F9E
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0FEF
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0F44
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FB9
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0FD4
.text E:\WINDOWS\system32\svchost.exe[424] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F33
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0FB6
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC003D
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FDB
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0011
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0F80
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0000
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EC0F9B
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0C, 89] {OR AL, 0x89}
.text E:\WINDOWS\system32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0022
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0047
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0FBC
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0FDE
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0FCD
.text E:\WINDOWS\system32\svchost.exe[424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FEF
.text E:\WINDOWS\system32\svchost.exe[424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0FE5
.text E:\WINDOWS\system32\svchost.exe[424] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00DD0000
.text E:\WINDOWS\system32\svchost.exe[424] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00DD0FE5
.text E:\WINDOWS\system32\svchost.exe[424] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00DD0FCA
.text E:\WINDOWS\system32\svchost.exe[424] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00DD001B
.text E:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 E:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text E:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 E:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text E:\WINDOWS\System32\svchost.exe[772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B1000A
.text E:\WINDOWS\System32\svchost.exe[772] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B10FD4
.text E:\WINDOWS\System32\svchost.exe[772] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B10FEF
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FE5
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00F4D
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00042
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00F68
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00F79
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FA8
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F30
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00078
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00EE9
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00EFA
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00093
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00025
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B0000A
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00067
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FB9
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FD4
.text E:\WINDOWS\System32\svchost.exe[772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F15
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FCA
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0073
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF001B
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0000
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0062
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FE5
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF0051
.text E:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0036
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B4002C
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B4001B
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FBC
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40000
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40FAB
.text E:\WINDOWS\System32\svchost.exe[772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FD7
.text E:\WINDOWS\System32\svchost.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30000
.text E:\WINDOWS\System32\svchost.exe[772] wininet.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00B2000A
.text E:\WINDOWS\System32\svchost.exe[772] wininet.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00B20FEF
.text E:\WINDOWS\System32\svchost.exe[772] wininet.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00B2001B
.text E:\WINDOWS\System32\svchost.exe[772] wininet.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00B20036
.text E:\WINDOWS\System32\svchost.exe[796] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0000
.text E:\WINDOWS\System32\svchost.exe[796] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0036
.text E:\WINDOWS\System32\svchost.exe[796] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0025
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FE5
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F74
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0073
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0058
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F9B
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0036
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0095
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0084
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F2B
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F3C
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F1A
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0047
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0FD4
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F63
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0025
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0014
.text E:\WINDOWS\System32\svchost.exe[796] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00B0
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FB2
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0046
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FC3
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FD4
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0F7F
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0FEF
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0F90
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
.text E:\WINDOWS\System32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FA1
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710042
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710031
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FD2
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710FEF
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FC1
.text E:\WINDOWS\System32\svchost.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0071000C
.text E:\WINDOWS\System32\svchost.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700FEF
.text E:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe[820] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 00157028
.text E:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FE5
.text E:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0000
.text E:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FD4
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FE5
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F4B
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E004A
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0F72
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F83
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FAF
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0EF8
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0F1F
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0076
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0065
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0EB8
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0F9E
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0000
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F30
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FC0
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0011
.text E:\WINDOWS\System32\svchost.exe[888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0EE7
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D001E
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0F7C
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FC3
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FDE
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0F8D
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0FEF
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0FA8
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
.text E:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D002F
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710FB7
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710042
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FC8
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0071001D
.text E:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FE3
.text E:\WINDOWS\System32\svchost.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700000
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FEF
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091000A
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FD4
.text E:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0090000A
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900090
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0090007F
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900062
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900051
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FC3
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F6F
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F80
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F4A
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000E3
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F2F
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900040
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FEF
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009000AB
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090002F
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FDE
.text E:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000C8
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0036
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0076
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0025
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FB9
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF005B
.text E:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FD4
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE003B
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FA6
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC1
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0016
.text E:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text E:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00920000
.text E:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00920011
.text E:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00920FDB
.text E:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00920FC0
.text E:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text E:\WINDOWS\Explorer.EXE[1148] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FEF
.text E:\WINDOWS\Explorer.EXE[1148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00FCD
.text E:\WINDOWS\Explorer.EXE[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00FDE
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F72
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F8D
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F9E
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE005B
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0040
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE009F
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0082
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00DC
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00C1
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F32
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FB9
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0014
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F57
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002F
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FDE
.text E:\WINDOWS\Explorer.EXE[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00B0
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014A0FAF
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014A002C
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014A0FC0
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014A0FDB
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014A001B
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014A0000
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014A0F79
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6A, 89] {PUSH -0x77}
.text E:\WINDOWS\Explorer.EXE[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014A0F94
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0049
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FBE
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF001D
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0038
.text E:\WINDOWS\Explorer.EXE[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FE3
.text E:\WINDOWS\Explorer.EXE[1148] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00C30FEF
.text E:\WINDOWS\Explorer.EXE[1148] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00C30FCA
.text E:\WINDOWS\Explorer.EXE[1148] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00C3000A
.text E:\WINDOWS\Explorer.EXE[1148] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00C30FB9
.text E:\WINDOWS\Explorer.EXE[1148] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10001102 E:\Program Files\Unlocker\UnlockerHook.dll
.text E:\WINDOWS\Explorer.EXE[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text E:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C10FEF
.text E:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C10FCA
.text E:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F7E
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0007D
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C0006C
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0005B
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00040
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0008E
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F52
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F21
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000BA
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000D5
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00FB9
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0001B
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F6D
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FD4
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FEF
.text E:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C000A9
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FB9
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF006C
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FD4
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0051
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0040
.text E:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0025
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2006E
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FE3
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20038
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20053
.text E:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20011
.text E:\WINDOWS\System32\ping.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text E:\WINDOWS\System32\ping.exe[1432] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text E:\WINDOWS\System32\ping.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text E:\WINDOWS\System32\ping.exe[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A6000A
.text E:\WINDOWS\System32\ping.exe[1432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text E:\WINDOWS\System32\ping.exe[1432] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00BE000A
.text E:\WINDOWS\System32\ping.exe[1432] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00BF000A
.text E:\WINDOWS\System32\ping.exe[1432] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C0000A
.text E:\WINDOWS\System32\ping.exe[1432] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00BD000A
.text E:\WINDOWS\system32\services.exe[1608] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text E:\WINDOWS\system32\services.exe[1608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FC3
.text E:\WINDOWS\system32\services.exe[1608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDE
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F6D
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60062
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60F94
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FA5
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60036
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F24
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F3F
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F09
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60098
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60EF8
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60051
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FE5
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F5C
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FCA
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F6001B
.text E:\WINDOWS\system32\services.exe[1608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60087
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070040
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FA5
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070025
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FB6
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070062
.text E:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070051
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FAD
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC8
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FE3
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060038
.text E:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006001D
.text E:\WINDOWS\system32\services.exe[1608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text E:\WINDOWS\system32\lsass.exe[1620] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0000
.text E:\WINDOWS\system32\lsass.exe[1620] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE002C
.text E:\WINDOWS\system32\lsass.exe[1620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE001B
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0071
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F72
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC004A
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F8D
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0F9E
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F30
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F57
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0F0E
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00A7
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00B8
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0025
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0014
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0082
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FB9
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FD4
.text E:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F1F
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FD4
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0FAF
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FE5
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB006C
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB005B
.text E:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0036
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10F92
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10FA3
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C1001D
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10000
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FC8
.text E:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10FE3
.text E:\WINDOWS\system32\lsass.exe[1620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C0000A
.text E:\WINDOWS\system32\lsass.exe[1620] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00BF0FEF
.text E:\WINDOWS\system32\lsass.exe[1620] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00BF0014
.text E:\WINDOWS\system32\lsass.exe[1620] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00BF0025
.text E:\WINDOWS\system32\lsass.exe[1620] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00BF0FD4
.text E:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD000A
.text E:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0036
.text E:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD001B
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02420000
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02420FAC
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024200AB
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02420084
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02420069
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0242003D
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024200F4
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024200E3
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02420F80
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02420F91
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02420F6F
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02420058
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02420FE5
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024200BC
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0242002C
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0242001B
.text E:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0242010F
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0241001B
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0241006C
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410FC0
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02410000
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02410FAF
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02410FEF
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02410047
.text E:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410036
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0047
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FBC
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FCD
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0022
.text E:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text E:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text E:\WINDOWS\system32\svchost.exe[1840] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0000
.text E:\WINDOWS\system32\svchost.exe[1840] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FD4
.text E:\WINDOWS\system32\svchost.exe[1840] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FE5
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01050FEF
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050F5C
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01050047
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050F79
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050036
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01050F9B
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01050093
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050076
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01050F15
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01050F30
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01050EFA
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01050F8A
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01050000
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01050F4B
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01050FB6
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01050011
.text E:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010500A4
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01040FA8
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01040F83
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01040FCD
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01040FDE
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01040036
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01040FEF
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01040025
.text E:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01040014
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01030FC8
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!system 77C293C7 5 Bytes JMP 01030049
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0103002E
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01030000
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01030FD9
.text E:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0103001D
.text E:\WINDOWS\system32\svchost.exe[1840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01020FEF
.text E:\WINDOWS\system32\svchost.exe[1840] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 01010000
.text E:\WINDOWS\system32\svchost.exe[1840] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 0101001B
.text E:\WINDOWS\system32\svchost.exe[1840] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 01010036
.text E:\WINDOWS\system32\svchost.exe[1840] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 01010047
.text E:\WINDOWS\System32\svchost.exe[1872] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03FB0FE5
.text E:\WINDOWS\System32\svchost.exe[1872] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03FB001B
.text E:\WINDOWS\System32\svchost.exe[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03FB000A
.text E:\WINDOWS\System32\svchost.exe[1872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01F0000A
.text E:\WINDOWS\System32\svchost.exe[1872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01EE000C
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04000FEF
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04000F92
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04000087
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0400006C
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0400005B
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0400002F
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 040000D0
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 040000BF
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 040000FC
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 040000EB
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04000F48
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04000040
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04000FDE
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 040000A2
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0400001E
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04000FCD
.text E:\WINDOWS\System32\svchost.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04000F63
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03FF0FAF
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03FF0036
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03FF0FCA
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03FF0FDB
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03FF0025
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03FF0000
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03FF0F79
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 8C]
.text E:\WINDOWS\System32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03FF0F8A
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03FE0FBE
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!system 77C293C7 5 Bytes JMP 03FE003F
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03FE002E
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03FE0000
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03FE0FD9
.text E:\WINDOWS\System32\svchost.exe[1872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03FE0011
.text E:\WINDOWS\System32\svchost.exe[1872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03FD0000
.text E:\WINDOWS\System32\svchost.exe[1872] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 03FC0000
.text E:\WINDOWS\System32\svchost.exe[1872] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 03FC001B
.text E:\WINDOWS\System32\svchost.exe[1872] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 03FC0036
.text E:\WINDOWS\System32\svchost.exe[1872] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 03FC0FE5
.text E:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630000
.text E:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630FCA
.text E:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630FDB
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660000
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F79
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0066006E
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0066005D
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F94
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0066001B
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F43
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0066008B
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006600C1
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600A6
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660F0D
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660036
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FDB
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00660F54
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00660FAF
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660FC0
.text E:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00660F28
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650FDE
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650FA1
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650FEF
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0065001B
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650FB2
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0065000A
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00650FCD
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 88]
.text E:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0065004A
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640067
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640FD2
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FE3
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0064000C
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640042
.text E:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0064001D
? E:\WINDOWS\System32\svchost.exe[1976] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: oleaut32.dllunknown module: oleaut32.dll
.text E:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text E:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text E:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F8D
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0082
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FA8
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC3
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0065
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F4E
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F6B
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F22
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F33
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F07
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FDE
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0025
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F7C
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0040
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FEF
.text E:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00B1
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F8A
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0047
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0036
.text E:\WINDOWS\System32\svchost.exe[1976] advapi32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FB9
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F8D
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FA8
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FDE
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC3
.text E:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FEF
.text E:\WINDOWS\System32\svchost.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0063000A
.text E:\WINDOWS\System32\svchost.exe[1976] wininet.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00790000
.text E:\WINDOWS\System32\svchost.exe[1976] wininet.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00790FE5
.text E:\WINDOWS\System32\svchost.exe[1976] wininet.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0079001B
.text E:\WINDOWS\System32\svchost.exe[1976] wininet.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00790FCA
.text E:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AA0FEF
.text E:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AA0FC3
.text E:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA0FD4
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0FEF
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF0F35
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0F46
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0F57
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF0F68
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF0F94
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0060
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF004F
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF0ED8
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF0EF3
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AF008C
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AF0F83
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AF0000
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AF0F24
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AF0FB9
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AF0FCA
.text E:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AF0071
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0FCA
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE0062
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0FEF
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0025
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0051
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0000
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FAF
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
.text E:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0036
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0036
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0FAB
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD001B
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0000
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FC6
.text E:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0FE3
.text E:\WINDOWS\system32\svchost.exe[1980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0000
.text E:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00AB0FEF
.text E:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00AB0FDE
.text E:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00AB0FCD
.text E:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00AB0FB2
.text E:\WINDOWS\system32\svchost.exe[2024] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B4000A
.text E:\WINDOWS\system32\svchost.exe[2024] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B40FEF
.text E:\WINDOWS\system32\svchost.exe[2024] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4001B
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30000
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B30F43
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B30F5E
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B30F6F
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B30F80
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30FAC
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30EFC
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B30F0D
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B30ED7
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B30070
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B30EC6
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B30F91
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30011
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30F28
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B30FC7
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30022
.text E:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B3005F
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60FC3
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6006C
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60FD4
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60000
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60047
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FE5
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B60036
.text E:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60025
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B5005D
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50042
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B5001D
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FD2
.text E:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50000
.text E:\Program Files\Mozilla Firefox\firefox.exe[2052] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C8000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[2052] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01C9000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[2052] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 012E000C
.text E:\Program Files\Mozilla Firefox\plugin-container.exe[3148] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10407D29 E:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00080FE5
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00080014
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00080FD4
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F52
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F6D
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0047
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0036
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0025
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0084
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0073
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F21
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00BA
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00D5
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F94
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0062
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00A9
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FD4
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FAF
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029001B
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029006C
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029005B
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290040
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0031
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0020
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FA6
.text \\.\globalroot\SystemRoot\system32\svchost.exe[3492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Processes - GMER 1.0.15 ----

Process E:\WINDOWS\System32\ping.exe (*** hidden *** ) 1432
Library E:\Program (*** hidden *** ) @ E:\Program Files\Mozilla Firefox\firefox.exe [2052] 0x03E60000
Library E:\Program (*** hidden *** ) @ E:\Program Files\Mozilla Firefox\firefox.exe [2052] 0x04D00000

---- EOF - GMER 1.0.15 ----


Other rootkit scanners have told me that ipsec.sys is infected. After replacing the file with with my copy of windows xp and uninstalling and reinstalling my tc/ip I still could not connect to the internet.

Thank you in advance

Attached File  attach.zip   4.06KB   1 downloads

BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 19 February 2012 - 03:48 PM

Hi bigj123454321 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take anys steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me a little bit of time to review your logs. I will post back as soon as I can.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 20 February 2012 - 08:11 AM

Greetings bigj123454321

Thank you for your patience while I reviewed the information your provided. I must first advise you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections [ZeroAccess] is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


ComboFix

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.

When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • Please let me know how your machine is running

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 February 2012 - 02:23 PM

Thank you for your response! I would like to try to remove this thing. I produce music from my computer, and clearing it off is really my last preferred option.

Instead of disabling my mcafee antivirus I just uninstalled it due to previous complications with it partially removing combofix even though real time scanning was supposed to be off. Even after doing this when I run combofix it tells me that the antivirus is still running. How can I be sure that it is not still running? Should I proceed anyway?

Thanks

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 20 February 2012 - 03:12 PM

Greetings bigj123454321,

You are most welcome for the assistance. I would be happy to help you clean your machine.

Actually removing McAfee for now will help to eliminate some potential conflicts/issues. Obviously since you don't have any real time protection we need to be careful about what is allowed into your machine. I sense you already realize that.

The Combofix warning is most likely the result of remnant entries it has found even after uninstalling McAfee. Please ignore that warning and proceed with Combofix.

Once we can take a look at the Combofix results we will have a better understanding of where we are at and where we need to go.

Good job! :thumbsup:
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 February 2012 - 04:02 PM

Combofix has frozen while preparing the log. does this usually take 15+ minutes?

#7 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 February 2012 - 04:14 PM

No log was created, I'm sure that's a problem. Should I run combofix again?

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 20 February 2012 - 04:54 PM

Greetings bigj123454321

Check C:\ComboFix.txt if you haven't already done that. If there is a log there then it finished.

If there is no log, please run it a second time. The new log will include anything Combofix deleted before it froze. If it gets stuck again, please try the below:


===================================================


ComboFix Stalled

--------------------

If ComboFix appears to be stuck, frozen or failed to reboot, please do the following:

Open Task Manager and look for the following ComboFix related processes (some have a .3XE extension):

  • PEV.exe
  • NirCmd.3XE
  • PEV.3XE
  • SED
  • GREP
  • Any file that has the extension *.3XE
One at a time, right-click and select End Process. If doing that did not free ComboFix, then you will need to reboot the computer manually.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 February 2012 - 05:30 PM

Ok, good news. The log was created this time. pev.exe Failed the first time, maybe that's why it froze. Well anyway, here is the log:

ComboFix 12-02-19.02 - Jared 02/20/2012 17:04:40.2.2 - x86
Running from: e:\documents and settings\Jared\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\windows\$NtUninstallKB30404$\1446007910
e:\windows\$NtUninstallKB30404$\53966323\@
e:\windows\$NtUninstallKB30404$\53966323\cfg.ini
e:\windows\$NtUninstallKB30404$\53966323\Desktop.ini
e:\windows\$NtUninstallKB30404$\53966323\L\fjinvwfo
.
---- Previous Run -------
.
e:\windows\$NtUninstallKB30404$\4113013281
e:\windows\$NtUninstallKB30404$\53966323\@
e:\windows\$NtUninstallKB30404$\53966323\L(2)\fjinvwfo
e:\windows\system32\SET65.tmp
e:\windows\system32\SET69.tmp
e:\windows\system32\SET71.tmp
e:\windows\system32\SETB9.tmp
.
Infected copy of e:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-09-29 18:25 . 2012-09-29 18:25 -------- d-----w- e:\program files\CCleaner
2012-02-20 00:03 . 2012-02-20 00:03 -------- d-sh--w- e:\documents and settings\LocalService\IETldCache
2012-02-19 23:56 . 2012-02-19 23:56 -------- d-----w- e:\windows\system32\wbem\Repository
2012-02-19 21:22 . 2012-02-19 21:23 -------- d-----w- e:\windows\system32\drivers\AVG
2012-02-19 21:22 . 2012-02-19 21:22 -------- d-----w- e:\documents and settings\All Users\Application Data\AVG2012
2012-02-19 20:19 . 2012-02-19 20:19 -------- d-----w- e:\program files\AVG
2012-02-19 20:02 . 2012-02-19 21:14 -------- d-----w- e:\documents and settings\All Users\Application Data\MFAData
2012-02-17 19:55 . 2012-01-11 19:06 3072 -c----w- e:\windows\system32\dllcache\iacenc.dll
2012-02-17 19:55 . 2012-01-11 19:06 3072 ------w- e:\windows\system32\iacenc.dll
2012-02-14 15:12 . 2012-02-19 20:24 0 --sha-w- e:\windows\system32\dds_trash_log.cmd
2012-02-14 15:04 . 2012-02-14 15:04 37888 ----a-w- e:\windows\system32\USB3Sw32.dll
2012-02-14 15:04 . 2012-02-14 15:04 156672 ----a-w- e:\windows\system32\NCUSBw32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 12:00 1859968 ----a-w- e:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 12:00 916992 ----a-w- e:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 12:00 43520 ------w- e:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 12:00 1469440 ------w- e:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 12:00 385024 ------w- e:\windows\system32\html.iec
2011-11-30 20:13 . 2011-05-18 05:42 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- e:\windows\system32\winsrv.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . 5CD806096B99891BA2E7FBA6EB70B635 . 75264 . . [------] . . e:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . 5CD806096B99891BA2E7FBA6EB70B635 . 75264 . . [------] . . e:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="e:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"TrueImageMonitor.exe"="e:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-08-21 5459136]
"Acronis Scheduler2 Service"="e:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-08-21 390712]
"SysTrayApp"="e:\program files\IDT\WDM\sttray.exe" [2008-07-21 442460]
"AESTFltr"="e:\windows\system32\AESTFltr.exe" [2008-07-11 466944]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"APSDaemon"="e:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
2012-02-14 15:04 37888 ----a-w- e:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
2012-02-14 15:04 37888 ----a-w- e:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"e:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"e:\\Program Files\\Common Files\\AOL\\1293567309\\ee\\aolsoftware.exe"=
"e:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"e:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"e:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);e:\windows\system32\drivers\tdrpm273.sys [12/28/2010 3:22 PM 752128]
R2 afcdpsrv;Acronis Nonstop Backup service;e:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/28/2010 3:22 PM 3975088]
R2 NecUsb3;USB3 Service;e:\windows\System32\svchost.exe -k NecUsb3Sevic [8/4/2004 7:00 AM 14336]
R2 PaceLicenseDServices;PACE License Services;e:\program files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [11/8/2010 4:09 AM 2647552]
R3 afcdp;afcdp;e:\windows\system32\drivers\afcdp.sys [12/28/2010 3:22 PM 163232]
R3 CLEDX;Team H2O CLEDX service;e:\windows\system32\drivers\cledx.sys [5/19/2011 8:08 PM 33792]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;e:\windows\system32\drivers\k57xp32.sys [12/26/2010 9:08 PM 176640]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;e:\windows\system32\drivers\OA008Ufd.sys [12/26/2010 9:07 PM 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;e:\windows\system32\drivers\OA008Vid.sys [12/26/2010 9:07 PM 269536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 4:16 PM 130384]
S2 dualshock3;SIXAXIS/DUALSHOCK3 DX (USB) Beta;e:\windows\system32\drivers\dualshock3.sys [7/27/2011 10:43 AM 22912]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [9/13/2011 7:33 PM 136176]
S3 AESTAud;AE Audio Service;e:\windows\system32\drivers\AESTAud.sys [12/28/2010 4:10 PM 108160]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\Google\Update\GoogleUpdate.exe [9/13/2011 7:33 PM 136176]
S3 iLokDrvr;Usb Driver;e:\windows\system32\drivers\iLokDrvr.sys [11/3/2010 9:40 PM 21112]
S3 osppsvc;Office Software Protection Platform;e:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 7:37 PM 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 4:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pduip6000dmemcrdmgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-02 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-06-14 e:\windows\Tasks\debutShakeIcon.job
- e:\program files\NCH Software\Debut\debut.exe [2011-06-11 02:01]
.
2012-02-20 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2011-09-14 00:33]
.
2012-02-20 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2011-09-14 00:33]
.
2011-08-09 e:\windows\Tasks\prismShakeIcon.job
- e:\program files\NCH Software\Prism\prism.exe [2011-08-09 05:35]
.
2011-04-15 e:\windows\Tasks\switchDowngrade.job
- e:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-29 22:06]
.
2011-04-07 e:\windows\Tasks\switchShakeIcon.job
- e:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-29 22:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - e:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - e:\documents and settings\Jared\Application Data\Mozilla\Firefox\Profiles\116kk2yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-FrostWire - e:\program files\FrostWire\Uninstall.exe
AddRemove-US800 Audio Driver Setup - e:\program files\TASCAM\US800\uninst.exe Software\TASCAM\US800\Setup
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 17:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
e:\windows\$NtUninstallKB30404$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:58,25,d4,a1,1a,d5,2e,6f,21,99,26,22,90,7b,ac,88,43,07,b8,66,ea,
6c,06,10,71,01,2c,60,de,0a,6a,bf,8e,ea,ca,7b,98,38,6b,aa,63,03,81,18,37,f7,\
"rkeysecu"=hex:60,48,26,38,af,37,08,ce,7e,57,41,96,0a,40,1b,83
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3176)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\igfxsrvc.exe
e:\program files\Common Files\Acronis\Schedule2\schedul2.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\program files\iPod\bin\iPodService.exe
e:\windows\system32\wscntfy.exe
e:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2012-02-20 17:20:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 22:19
.
Pre-Run: 254,538,002,432 bytes free
Post-Run: 254,541,369,344 bytes free
.
- - End Of File - - 04FE45392E1E2670FC27D80FEFC0DE71



I couldn't install the recovery console at the time because my XP partition no longer connects to the internet (probably for the best right now anyway). Will install it offline a soon as possible. Thanks again for your help and patience

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 20 February 2012 - 05:44 PM

Greetings bigj123454321

Outstanding! Please allow me some time to review the log.

pev.exe Failed the first time,


Did you get an error message when it froze the first time identifying this as a problem?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 February 2012 - 05:49 PM

An error came up during stage 4. It continued to stage 50 though, then froze while creating the log. It worked fine this time though thankfully

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 21 February 2012 - 11:38 AM

Greetings bigj123454321,


We need some additional information regarding an entry that needs to be removed. Please perform the following for me.


===================================================


OTL Custom Scan

--------------------

  • Please download OTL from one of the following mirrors:

  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Push the None button on the second row from the top
  • Copy and Paste the following code into the Posted Image textbox.

    netsvcs

  • Push the Scan button
  • When finished a report named OTL.txt will open. Please copy and paste that information in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • OTL.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 21 February 2012 - 12:12 PM

Ok, here it is:

OTL logfile created on: 2/21/2012 11:59:05 AM - Run 1
OTL by OldTimer - Version 3.2.33.1 Folder = E:\Documents and Settings\Jared\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 87.39% Memory free
4.78 Gb Paging File | 4.59 Gb Available in Paging File | 96.22% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 996.21 Mb Total Space | 835.21 Mb Free Space | 83.84% Space Free | Partition Type: NTFS
Drive D: | 34.17 Gb Total Space | 7.80 Gb Free Space | 22.83% Space Free | Partition Type: NTFS
Drive E: | 430.61 Gb Total Space | 237.04 Gb Free Space | 55.05% Space Free | Partition Type: NTFS

Computer Name: STUDIO | User Name: Jared | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: pduip6000dmemcrdmgr - E:\WINDOWS\system32\EntDrv51.dll (Oak Technology Inc.)
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found

< End of report >

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 AM

Posted 21 February 2012 - 03:57 PM

Greetings bigj123454321,

Let's do some further clean up of additional entries which need to be removed. As you will notice, we are going to address the ipsec.sys warning your received earlier as well. The file is infected and we are going to replace it with a verified file.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    
    http://www.bleepingcomputer.com/forums/topic443076.html/page__gopid__2603558#entry2603558
    
    Collect::
    e:\windows\system32\USB3Sw32.dll
    e:\windows\system32\NCUSBw32.dll
    E:\WINDOWS\system32\EntDrv51.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    NecUsb3=-
    
    Driver::
    NecUsb3
    pduip6000dmemcrdmgr
    
    NetSvc::
    pduip6000dmemcrdmgr
    
    FCopy::
    e:\windows\ServicePackFiles\i386\ipsec.sys | e:\windows\system32\drivers\ipsec.sys
    

  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • How is your computer behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 bigj123454321

bigj123454321
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 21 February 2012 - 05:08 PM

Here is the log:

ComboFix 12-02-19.02 - Jared 02/21/2012 16:32:07.3.2 - x86
Running from: e:\documents and settings\Jared\Desktop\COMBOFIX.EXE
Command switches used :: e:\documents and settings\Jared\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
file zipped: e:\windows\system32\EntDrv51.dll
file zipped: e:\windows\system32\NCUSBw32.dll
file zipped: e:\windows\system32\USB3Sw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\windows\$NtUninstallKB30404$\2768307124
e:\windows\$NtUninstallKB30404$\53966323\@
e:\windows\$NtUninstallKB30404$\53966323\cfg.ini
e:\windows\$NtUninstallKB30404$\53966323\Desktop.ini
e:\windows\$NtUninstallKB30404$\53966323\L\fjinvwfo
e:\windows\system32\EntDrv51.dll
e:\windows\system32\NCUSBw32.dll
e:\windows\system32\USB3Sw32.dll
.
Infected copy of e:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
--------------- FCopy ---------------
.
e:\windows\ServicePackFiles\i386\ipsec.sys --> e:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NECUSB3
-------\Legacy_PDUIP6000DMEMCRDMGR
-------\Service_NecUsb3
-------\Service_pduip6000dmemcrdmgr
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-09-29 18:25 . 2012-09-29 18:25 -------- d-----w- e:\program files\CCleaner
2012-02-21 21:17 . 2008-04-13 19:21 162816 ----a-w- e:\windows\system32\drivers\netbt.sys
2012-02-21 03:40 . 2009-03-30 17:47 171520 ----a-w- e:\windows\system32\staco.dll
2012-02-21 03:39 . 2012-02-21 03:39 -------- d-----w- e:\program files\IDT
2012-02-20 22:18 . 2008-04-13 15:40 57600 -c--a-w- e:\windows\system32\dllcache\redbook.sys
2012-02-20 22:18 . 2008-04-13 15:40 57600 ----a-w- e:\windows\system32\drivers\redbook.sys
2012-02-20 22:00 . 2011-07-15 13:29 456320 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2012-02-20 20:21 . 2012-02-20 20:21 -------- d-----w- e:\documents and settings\All Users\Application Data\McAfee
2012-02-20 00:03 . 2012-02-20 00:03 -------- d-sh--w- e:\documents and settings\LocalService\IETldCache
2012-02-19 23:56 . 2012-02-19 23:56 -------- d-----w- e:\windows\system32\wbem\Repository
2012-02-19 21:22 . 2012-02-19 21:23 -------- d-----w- e:\windows\system32\drivers\AVG
2012-02-19 21:22 . 2012-02-19 21:22 -------- d-----w- e:\documents and settings\All Users\Application Data\AVG2012
2012-02-19 20:19 . 2012-02-19 20:19 -------- d-----w- e:\program files\AVG
2012-02-19 20:02 . 2012-02-19 21:14 -------- d-----w- e:\documents and settings\All Users\Application Data\MFAData
2012-02-17 19:55 . 2012-01-11 19:06 3072 -c----w- e:\windows\system32\dllcache\iacenc.dll
2012-02-17 19:55 . 2012-01-11 19:06 3072 ------w- e:\windows\system32\iacenc.dll
2012-02-14 15:12 . 2012-02-19 20:24 0 --sha-w- e:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 12:00 1859968 ----a-w- e:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 12:00 916992 ----a-w- e:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 12:00 43520 ------w- e:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 12:00 1469440 ------w- e:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 12:00 385024 ------w- e:\windows\system32\html.iec
2011-11-30 20:13 . 2011-05-18 05:42 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- e:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-20_22.15.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-21 21:43 . 2012-02-21 21:43 16384 e:\windows\Temp\Perflib_Perfdata_29c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="e:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"TrueImageMonitor.exe"="e:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-08-21 5459136]
"Acronis Scheduler2 Service"="e:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-08-21 390712]
"AESTFltr"="e:\windows\system32\AESTFltr.exe" [2008-07-11 466944]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"APSDaemon"="e:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"e:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"e:\\Program Files\\Common Files\\AOL\\1293567309\\ee\\aolsoftware.exe"=
"e:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"e:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"e:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);e:\windows\system32\drivers\tdrpm273.sys [12/28/2010 3:22 PM 752128]
R2 afcdpsrv;Acronis Nonstop Backup service;e:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/28/2010 3:22 PM 3975088]
R2 PaceLicenseDServices;PACE License Services;e:\program files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [11/8/2010 4:09 AM 2647552]
R3 afcdp;afcdp;e:\windows\system32\drivers\afcdp.sys [12/28/2010 3:22 PM 163232]
R3 CLEDX;Team H2O CLEDX service;e:\windows\system32\drivers\cledx.sys [5/19/2011 8:08 PM 33792]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;e:\windows\system32\drivers\k57xp32.sys [12/26/2010 9:08 PM 176640]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;e:\windows\system32\drivers\OA008Ufd.sys [12/26/2010 9:07 PM 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;e:\windows\system32\drivers\OA008Vid.sys [12/26/2010 9:07 PM 269536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 4:16 PM 130384]
S2 dualshock3;SIXAXIS/DUALSHOCK3 DX (USB) Beta;e:\windows\system32\drivers\dualshock3.sys [7/27/2011 10:43 AM 22912]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [9/13/2011 7:33 PM 136176]
S3 AESTAud;AE Audio Service;e:\windows\system32\drivers\AESTAud.sys [12/28/2010 4:10 PM 108160]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\Google\Update\GoogleUpdate.exe [9/13/2011 7:33 PM 136176]
S3 iLokDrvr;Usb Driver;e:\windows\system32\drivers\iLokDrvr.sys [11/3/2010 9:40 PM 21112]
S3 osppsvc;Office Software Protection Platform;e:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 7:37 PM 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 4:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-02 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-06-14 e:\windows\Tasks\debutShakeIcon.job
- e:\program files\NCH Software\Debut\debut.exe [2011-06-11 02:01]
.
2012-02-21 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2011-09-14 00:33]
.
2012-02-21 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2011-09-14 00:33]
.
2011-08-09 e:\windows\Tasks\prismShakeIcon.job
- e:\program files\NCH Software\Prism\prism.exe [2011-08-09 05:35]
.
2011-04-15 e:\windows\Tasks\switchDowngrade.job
- e:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-29 22:06]
.
2011-04-07 e:\windows\Tasks\switchShakeIcon.job
- e:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-29 22:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - e:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: DhcpNameServer = 192.168.5.1
FF - ProfilePath - e:\documents and settings\Jared\Application Data\Mozilla\Firefox\Profiles\116kk2yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SysTrayApp - e:\program files\IDT\WDM\sttray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-21 16:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
e:\windows\$NtUninstallKB30404$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:58,25,d4,a1,1a,d5,2e,6f,21,99,26,22,90,7b,ac,88,43,07,b8,66,ea,
6c,06,10,71,01,2c,60,de,0a,6a,bf,8e,ea,ca,7b,98,38,6b,aa,63,03,81,18,37,f7,\
"rkeysecu"=hex:60,48,26,38,af,37,08,ce,7e,57,41,96,0a,40,1b,83
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2396)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Acronis\Schedule2\schedul2.exe
e:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\windows\system32\wbem\wmiapsrv.exe
e:\windows\system32\wscntfy.exe
e:\windows\system32\igfxsrvc.exe
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-02-21 16:47:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-21 21:47
.
Pre-Run: 254,403,571,712 bytes free
Post-Run: 254,484,750,336 bytes free
.
- - End Of File - - 3755F1CFAD35868D95409D826677DA78
Upload was successful



Internet connection for the xp partition has been restored after running combofix this time. Startup has been very slow lately (even when combofix is not being run). The desktop takes a while to load, and it most processes are very slow to start. Other than that things seem appear to be better




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users