[FONT=Arial]I've tried everything I can to get rid of this thing on my own. I've downloaded and run every anti-virus and anti- malware program worth its salt and although they have been able to remove most of the viruses or malware that this SVChost virus has allowed into my system, they have not been able to remove the root problem. Some even caused my computer to be completely un-bootable and required a system recovery.[/FONT]
[FONT=Arial]Log files below[/FONT]
[FONT=Arial]Could not get DDS.com to produce a log file. It seemed to run fine, then locked the system[/FONT]
[FONT=Arial]**************************************************************************************************[/FONT]
[FONT=Arial]Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org[/FONT]
[FONT=Arial]Database version: v2012.09.20.07[/FONT]
[FONT=Arial]Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
HP_Owner :: DESKTOP [administrator][/FONT]
[FONT=Arial]Protection: Enabled[/FONT]
[FONT=Arial]9/20/2012 10:36:57 AM
mbam-log-2012-09-20 (10-36-57).txt[/FONT]
[FONT=Arial]Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 319973
Time elapsed: 42 minute(s), 29 second(s)[/FONT]
[FONT=Arial]Memory Processes Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Memory Modules Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Keys Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Values Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Data Items Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Folders Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Files Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial](end)[/FONT]
[FONT=Arial]***************************************************************[/FONT]
[FONT=Arial]GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-21 10:01:23
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3250318AS rev.CC38
Running: i0netgj5.exe; Driver: C:\Users\HP_Owner\AppData\Local\Temp\fwtdapoc.sys[/FONT]
---- System - GMER 1.0.15 ----
Code 93D8BBFC ZwTraceEvent
Code 93D8BBFB NtTraceEvent
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 830543C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308DD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!NtTraceEvent 830DD63A 5 Bytes JMP 93D8BC00
.text user32.dll!SetUserObjectSecurity 75E32285 8 Bytes [90, E9, 09, 16, 12, EA, 90, ...] {NOP ; JMP 0xffffffffea12160f; NOP ; NOP }
.text user32.dll!BroadcastSystemMessageExW 75E34255 7 Bytes [90, E9, 89, C2, 11, EA, 90] {NOP ; JMP 0xffffffffea11c28f; NOP }
.text user32.dll!BroadcastSystemMessageW 75E37CB8 7 Bytes [90, E9, 6E, 85, 11, EA, 90] {NOP ; JMP 0xffffffffea118574; NOP }
.text user32.dll!PostThreadMessageA 75E3AD09 7 Bytes [90, E9, 29, 46, 11, EA, 90] {NOP ; JMP 0xffffffffea11462f; NOP }
.text user32.dll!PostThreadMessageA + 8 75E3AD11 2 Bytes [90, 90] {NOP ; NOP }
.text user32.dll!SendMessageA 75E3AD60 6 Bytes [90, E9, 62, 40, 11, EA] {NOP ; JMP 0xffffffffea114068}
.text user32.dll!PostMessageA 75E3B446 6 Bytes [90, E9, 34, 3C, 11, EA] {NOP ; JMP 0xffffffffea113c3a}
.text user32.dll!SendNotifyMessageW 75E3C88A 8 Bytes [90, E9, 2C, 34, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea113432; NOP ; NOP }
.text user32.dll!SetWindowsHookExW 75E3E30C 7 Bytes [90, E9, F2, 5A, 11, EA, 90] {NOP ; JMP 0xffffffffea115af8; NOP }
.text user32.dll!SendMessageTimeoutW 75E3E459 7 Bytes [90, E9, A5, 15, 11, EA, 90] {NOP ; JMP 0xffffffffea1115ab; NOP }
.text user32.dll!PostThreadMessageW 75E3EEFC 8 Bytes [90, E9, 92, 05, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea110598; NOP ; NOP }
.text user32.dll!SendMessageCallbackW 75E42F7B 6 Bytes [90, E9, CB, C7, 10, EA] {NOP ; JMP 0xffffffffea10c7d1}
.text user32.dll!PostMessageW 75E4447B 6 Bytes [90, E9, 5B, AD, 10, EA] {NOP ; JMP 0xffffffffea10ad61}
.text user32.dll!SendMessageW 75E45539 6 Bytes [90, E9, E5, 99, 10, EA] {NOP ; JMP 0xffffffffea1099eb}
.text user32.dll!SendNotifyMessageA 75E5493C 8 Bytes [90, E9, 1E, B2, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0fb224; NOP ; NOP }
.text user32.dll!SendDlgItemMessageW 75E570D8 9 Bytes [90, E9, 96, 8E, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0f8e9c; NOP ; NOP ; NOP }
.text user32.dll!SendDlgItemMessageA 75E57241 3 Bytes [90, E9, D1]
.text user32.dll!SendDlgItemMessageA + 4 75E57245 5 Bytes [0F, EA, 90, 90, 90]
.text user32.dll!OpenClipboard 75E6447E 6 Bytes [90, E9, D8, 94, 0E, EA] {NOP ; JMP 0xffffffffea0e94de}
.text user32.dll!SetWindowsHookExA 75E66D0C 7 Bytes [90, E9, 96, CF, 0E, EA, 90] {NOP ; JMP 0xffffffffea0ecf9c; NOP }
.text user32.dll!SendMessageTimeoutA 75E66DA9 7 Bytes [90, E9, F9, 8A, 0E, EA, 90] {NOP ; JMP 0xffffffffea0e8aff; NOP }
.text user32.dll!SetWindowsHookA 75E7B641 7 Bytes [90, E9, 19, 89, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d891f; NOP }
.text user32.dll!SetWindowsHookW 75E7B65C 7 Bytes [90, E9, 5A, 8A, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d8a60; NOP }
.text user32.dll!EndTask 75E7FD66 8 Bytes [90, E9, 00, EF, 0C, EA, 90, ...] {NOP ; JMP 0xffffffffea0cef06; NOP ; NOP }
.text user32.dll!ExitWindowsEx 75E806C7 8 Bytes [90, E9, E7, 48, 0D, EA, 90, ...] {NOP ; JMP 0xffffffffea0d48ed; NOP ; NOP }
.text user32.dll!BroadcastSystemMessageExA 75E93B23 7 Bytes [90, E9, 5F, C8, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc865; NOP }
.text user32.dll!BroadcastSystemMessage 75E93B4A 7 Bytes [90, E9, 80, C5, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc586; NOP }
.text user32.dll!SendMessageCallbackA 75E93E8B 6 Bytes [90, E9, 5F, B7, 0B, EA] {NOP ; JMP 0xffffffffea0bb765}
.text kernel32.dll!CreateProcessW 75C3204D 7 Bytes [90, E9, ED, C3, 31, EA, 90] {NOP ; JMP 0xffffffffea31c3f3; NOP }
.text kernel32.dll!CreateProcessA 75C32082 7 Bytes [90, E9, 5C, C2, 31, EA, 90] {NOP ; JMP 0xffffffffea31c262; NOP }
.text kernel32.dll!VirtualProtect 75C72BCD 6 Bytes [90, E9, 79, 0F, 2E, EA] {NOP ; JMP 0xffffffffea2e0f7f}
.text kernel32.dll!LoadLibraryExW 75C75079 6 Bytes [90, E9, F1, 8C, 2D, EA] {NOP ; JMP 0xffffffffea2d8cf7}
.text kernel32.dll!GetProcAddress 75C7CC94 6 Bytes [90, E9, 32, 12, 2D, EA] {NOP ; JMP 0xffffffffea2d1238}
.text kernel32.dll!FreeLibrary 75C7EF67 6 Bytes [90, E9, BB, F0, 2C, EA] {NOP ; JMP 0xffffffffea2cf0c1}
.text kernel32.dll!DebugActiveProcess 75CB738C 10 Bytes [90, E9, 3E, D1, 29, EA, 90, ...] {NOP ; JMP 0xffffffffea29d144; NOP ; NOP ; NOP ; NOP }
.text kernel32.dll!VirtualProtectEx 75CBFD51 6 Bytes [90, E9, 99, 3C, 29, EA] {NOP ; JMP 0xffffffffea293c9f}
.text advapi32.dll!EnumDependentServicesW 75B91E3A 7 Bytes [90, E9, D8, 01, 3C, EA, 90] {NOP ; JMP 0xffffffffea3c01de; NOP }
.text advapi32.dll!StartServiceW 75B97974 6 Bytes [90, E9, 62, 9A, 3B, EA] {NOP ; JMP 0xffffffffea3b9a68}
.text advapi32.dll!QueryServiceStatusEx 75B9798C 6 Bytes [90, E9, 02, 9D, 3B, EA] {NOP ; JMP 0xffffffffea3b9d08}
.text advapi32.dll!SetFileSecurityW 75B979C3 6 Bytes [90, E9, A3, B6, 3B, EA] {NOP ; JMP 0xffffffffea3bb6a9}
.text advapi32.dll!SetSecurityInfo 75B99EDF 8 Bytes [90, E9, 9B, 95, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b95a1; NOP ; NOP }
.text advapi32.dll!SetNamedSecurityInfoW 75B99FE2 8 Bytes [90, E9, 50, 97, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b9756; NOP ; NOP }
.text advapi32.dll!EnumServicesStatusExW 75B9B466 7 Bytes [90, E9, 8C, 76, 3B, EA, 90] {NOP ; JMP 0xffffffffea3b7692; NOP }
.text advapi32.dll!QueryServiceConfigW 75B9B537 6 Bytes [90, E9, 6B, 65, 3B, EA] {NOP ; JMP 0xffffffffea3b6571}
.text advapi32.dll!CreateProcessAsUserW 75B9C592 6 Bytes [90, E9, 60, 21, 3B, EA] {NOP ; JMP 0xffffffffea3b2166}
.text advapi32.dll!OpenServiceW 75B9CA4C 6 Bytes [90, E9, 76, 45, 3B, EA] {NOP ; JMP 0xffffffffea3b457c}
.text advapi32.dll!OpenSCManagerW 75B9CA64 6 Bytes [90, E9, EE, 3F, 3B, EA] {NOP ; JMP 0xffffffffea3b3ff4}
.text advapi32.dll!QueryServiceStatus 75BA2A86 6 Bytes [90, E9, AC, EA, 3A, EA] {NOP ; JMP 0xffffffffea3aeab2}
.text advapi32.dll!OpenSCManagerA 75BA2BD8 6 Bytes [90, E9, 1E, DD, 3A, EA] {NOP ; JMP 0xffffffffea3add24}
.text advapi32.dll!OpenServiceA 75BA2BF0 6 Bytes [90, E9, 76, E2, 3A, EA] {NOP ; JMP 0xffffffffea3ae27c}
.text advapi32.dll!AdjustTokenPrivileges 75BA418E 6 Bytes [90, E9, 20, EC, 3A, EA] {NOP ; JMP 0xffffffffea3aec26}
.text advapi32.dll!SetKernelObjectSecurity 75BA4645 6 Bytes [90, E9, 7D, EB, 3A, EA] {NOP ; JMP 0xffffffffea3aeb83}
.text advapi32.dll!CreateServiceW 75BB712C 6 Bytes [90, E9, DE, 9B, 39, EA] {NOP ; JMP 0xffffffffea399be4}
.text advapi32.dll!ControlService 75BB7144 6 Bytes [90, E9, A6, A6, 39, EA] {NOP ; JMP 0xffffffffea39a6ac}
.text advapi32.dll!DeleteService 75BB715C 6 Bytes [90, E9, C2, 9F, 39, EA] {NOP ; JMP 0xffffffffea399fc8}
.text advapi32.dll!QueryServiceConfigA 75BB9A4F 6 Bytes [90, E9, F7, 7E, 39, EA] {NOP ; JMP 0xffffffffea397efd}
.text advapi32.dll!EnumServicesStatusExA 75BBA3E2 7 Bytes [90, E9, B4, 85, 39, EA, 90] {NOP ; JMP 0xffffffffea3985ba; NOP }
.text advapi32.dll!CreateProcessAsUserA 75BD2538 7 Bytes [90, E9, 16, C3, 37, EA, 90] {NOP ; JMP 0xffffffffea37c31c; NOP }
.text advapi32.dll!ChangeServiceConfig2A 75BD30C8 6 Bytes [90, E9, 5E, F3, 37, EA] {NOP ; JMP 0xffffffffea37f364}
.text advapi32.dll!ChangeServiceConfig2W 75BD30D8 6 Bytes [90, E9, AA, F4, 37, EA] {NOP ; JMP 0xffffffffea37f4b0}
.text advapi32.dll!ChangeServiceConfigA 75BD30E8 6 Bytes [90, E9, 86, F0, 37, EA] {NOP ; JMP 0xffffffffea37f08c}
.text advapi32.dll!ChangeServiceConfigW 75BD30F8 6 Bytes [90, E9, D2, F1, 37, EA] {NOP ; JMP 0xffffffffea37f1d8}
.text advapi32.dll!CreateServiceA 75BD3158 6 Bytes [90, E9, 56, DA, 37, EA] {NOP ; JMP 0xffffffffea37da5c}
.text advapi32.dll!QueryServiceConfig2A 75BD33E9 6 Bytes [90, E9, 15, E8, 37, EA] {NOP ; JMP 0xffffffffea37e81b}
.text advapi32.dll!QueryServiceConfig2W 75BD33F9 6 Bytes [90, E9, 61, E9, 37, EA] {NOP ; JMP 0xffffffffea37e967}
.text advapi32.dll!SetServiceObjectSecurity 75BD3533 6 Bytes [90, E9, EB, FD, 37, EA] {NOP ; JMP 0xffffffffea37fdf1}
.text advapi32.dll!StartServiceA 75BD3543 6 Bytes [90, E9, 37, DD, 37, EA] {NOP ; JMP 0xffffffffea37dd3d}
.text advapi32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes [90, E9, AD, 92, 37, EA, 90, ...] {NOP ; JMP 0xffffffffea3792b3; NOP ; NOP }
.text advapi32.dll!InitiateSystemShutdownW 75BEDA6D 8 Bytes [90, E9, 75, 6E, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea366e7b; NOP ; NOP }
.text advapi32.dll!InitiateSystemShutdownExW 75BEDB3A 8 Bytes [90, E9, 60, 70, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea367066; NOP ; NOP }
.text advapi32.dll!AbortSystemShutdownW 75BEDD60 6 Bytes [90, E9, F2, 70, 36, EA] {NOP ; JMP 0xffffffffea3670f8}
.text advapi32.dll!EnumServicesStatusA 75BF2021 7 Bytes [90, E9, BD, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea3606c3; NOP }
.text advapi32.dll!EnumDependentServicesA 75BF2104 7 Bytes [90, E9, B2, FD, 35, EA, 90] {NOP ; JMP 0xffffffffea35fdb8; NOP }
.text advapi32.dll!EnumServicesStatusW 75BF2221 7 Bytes [90, E9, 19, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea36061f; NOP }
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 75C3204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 75C32082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 75C75079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
[FONT=Arial]Log files below[/FONT]
[FONT=Arial]Could not get DDS.com to produce a log file. It seemed to run fine, then locked the system[/FONT]
[FONT=Arial]**************************************************************************************************[/FONT]
[FONT=Arial]Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org[/FONT]
[FONT=Arial]Database version: v2012.09.20.07[/FONT]
[FONT=Arial]Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
HP_Owner :: DESKTOP [administrator][/FONT]
[FONT=Arial]Protection: Enabled[/FONT]
[FONT=Arial]9/20/2012 10:36:57 AM
mbam-log-2012-09-20 (10-36-57).txt[/FONT]
[FONT=Arial]Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 319973
Time elapsed: 42 minute(s), 29 second(s)[/FONT]
[FONT=Arial]Memory Processes Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Memory Modules Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Keys Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Values Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Registry Data Items Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Folders Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial]Files Detected: 0
(No malicious items detected)[/FONT]
[FONT=Arial](end)[/FONT]
[FONT=Arial]***************************************************************[/FONT]
[FONT=Arial]GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-21 10:01:23
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3250318AS rev.CC38
Running: i0netgj5.exe; Driver: C:\Users\HP_Owner\AppData\Local\Temp\fwtdapoc.sys[/FONT]
---- System - GMER 1.0.15 ----
Code 93D8BBFC ZwTraceEvent
Code 93D8BBFB NtTraceEvent
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 830543C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308DD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!NtTraceEvent 830DD63A 5 Bytes JMP 93D8BC00
.text user32.dll!SetUserObjectSecurity 75E32285 8 Bytes [90, E9, 09, 16, 12, EA, 90, ...] {NOP ; JMP 0xffffffffea12160f; NOP ; NOP }
.text user32.dll!BroadcastSystemMessageExW 75E34255 7 Bytes [90, E9, 89, C2, 11, EA, 90] {NOP ; JMP 0xffffffffea11c28f; NOP }
.text user32.dll!BroadcastSystemMessageW 75E37CB8 7 Bytes [90, E9, 6E, 85, 11, EA, 90] {NOP ; JMP 0xffffffffea118574; NOP }
.text user32.dll!PostThreadMessageA 75E3AD09 7 Bytes [90, E9, 29, 46, 11, EA, 90] {NOP ; JMP 0xffffffffea11462f; NOP }
.text user32.dll!PostThreadMessageA + 8 75E3AD11 2 Bytes [90, 90] {NOP ; NOP }
.text user32.dll!SendMessageA 75E3AD60 6 Bytes [90, E9, 62, 40, 11, EA] {NOP ; JMP 0xffffffffea114068}
.text user32.dll!PostMessageA 75E3B446 6 Bytes [90, E9, 34, 3C, 11, EA] {NOP ; JMP 0xffffffffea113c3a}
.text user32.dll!SendNotifyMessageW 75E3C88A 8 Bytes [90, E9, 2C, 34, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea113432; NOP ; NOP }
.text user32.dll!SetWindowsHookExW 75E3E30C 7 Bytes [90, E9, F2, 5A, 11, EA, 90] {NOP ; JMP 0xffffffffea115af8; NOP }
.text user32.dll!SendMessageTimeoutW 75E3E459 7 Bytes [90, E9, A5, 15, 11, EA, 90] {NOP ; JMP 0xffffffffea1115ab; NOP }
.text user32.dll!PostThreadMessageW 75E3EEFC 8 Bytes [90, E9, 92, 05, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea110598; NOP ; NOP }
.text user32.dll!SendMessageCallbackW 75E42F7B 6 Bytes [90, E9, CB, C7, 10, EA] {NOP ; JMP 0xffffffffea10c7d1}
.text user32.dll!PostMessageW 75E4447B 6 Bytes [90, E9, 5B, AD, 10, EA] {NOP ; JMP 0xffffffffea10ad61}
.text user32.dll!SendMessageW 75E45539 6 Bytes [90, E9, E5, 99, 10, EA] {NOP ; JMP 0xffffffffea1099eb}
.text user32.dll!SendNotifyMessageA 75E5493C 8 Bytes [90, E9, 1E, B2, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0fb224; NOP ; NOP }
.text user32.dll!SendDlgItemMessageW 75E570D8 9 Bytes [90, E9, 96, 8E, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0f8e9c; NOP ; NOP ; NOP }
.text user32.dll!SendDlgItemMessageA 75E57241 3 Bytes [90, E9, D1]
.text user32.dll!SendDlgItemMessageA + 4 75E57245 5 Bytes [0F, EA, 90, 90, 90]
.text user32.dll!OpenClipboard 75E6447E 6 Bytes [90, E9, D8, 94, 0E, EA] {NOP ; JMP 0xffffffffea0e94de}
.text user32.dll!SetWindowsHookExA 75E66D0C 7 Bytes [90, E9, 96, CF, 0E, EA, 90] {NOP ; JMP 0xffffffffea0ecf9c; NOP }
.text user32.dll!SendMessageTimeoutA 75E66DA9 7 Bytes [90, E9, F9, 8A, 0E, EA, 90] {NOP ; JMP 0xffffffffea0e8aff; NOP }
.text user32.dll!SetWindowsHookA 75E7B641 7 Bytes [90, E9, 19, 89, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d891f; NOP }
.text user32.dll!SetWindowsHookW 75E7B65C 7 Bytes [90, E9, 5A, 8A, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d8a60; NOP }
.text user32.dll!EndTask 75E7FD66 8 Bytes [90, E9, 00, EF, 0C, EA, 90, ...] {NOP ; JMP 0xffffffffea0cef06; NOP ; NOP }
.text user32.dll!ExitWindowsEx 75E806C7 8 Bytes [90, E9, E7, 48, 0D, EA, 90, ...] {NOP ; JMP 0xffffffffea0d48ed; NOP ; NOP }
.text user32.dll!BroadcastSystemMessageExA 75E93B23 7 Bytes [90, E9, 5F, C8, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc865; NOP }
.text user32.dll!BroadcastSystemMessage 75E93B4A 7 Bytes [90, E9, 80, C5, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc586; NOP }
.text user32.dll!SendMessageCallbackA 75E93E8B 6 Bytes [90, E9, 5F, B7, 0B, EA] {NOP ; JMP 0xffffffffea0bb765}
.text kernel32.dll!CreateProcessW 75C3204D 7 Bytes [90, E9, ED, C3, 31, EA, 90] {NOP ; JMP 0xffffffffea31c3f3; NOP }
.text kernel32.dll!CreateProcessA 75C32082 7 Bytes [90, E9, 5C, C2, 31, EA, 90] {NOP ; JMP 0xffffffffea31c262; NOP }
.text kernel32.dll!VirtualProtect 75C72BCD 6 Bytes [90, E9, 79, 0F, 2E, EA] {NOP ; JMP 0xffffffffea2e0f7f}
.text kernel32.dll!LoadLibraryExW 75C75079 6 Bytes [90, E9, F1, 8C, 2D, EA] {NOP ; JMP 0xffffffffea2d8cf7}
.text kernel32.dll!GetProcAddress 75C7CC94 6 Bytes [90, E9, 32, 12, 2D, EA] {NOP ; JMP 0xffffffffea2d1238}
.text kernel32.dll!FreeLibrary 75C7EF67 6 Bytes [90, E9, BB, F0, 2C, EA] {NOP ; JMP 0xffffffffea2cf0c1}
.text kernel32.dll!DebugActiveProcess 75CB738C 10 Bytes [90, E9, 3E, D1, 29, EA, 90, ...] {NOP ; JMP 0xffffffffea29d144; NOP ; NOP ; NOP ; NOP }
.text kernel32.dll!VirtualProtectEx 75CBFD51 6 Bytes [90, E9, 99, 3C, 29, EA] {NOP ; JMP 0xffffffffea293c9f}
.text advapi32.dll!EnumDependentServicesW 75B91E3A 7 Bytes [90, E9, D8, 01, 3C, EA, 90] {NOP ; JMP 0xffffffffea3c01de; NOP }
.text advapi32.dll!StartServiceW 75B97974 6 Bytes [90, E9, 62, 9A, 3B, EA] {NOP ; JMP 0xffffffffea3b9a68}
.text advapi32.dll!QueryServiceStatusEx 75B9798C 6 Bytes [90, E9, 02, 9D, 3B, EA] {NOP ; JMP 0xffffffffea3b9d08}
.text advapi32.dll!SetFileSecurityW 75B979C3 6 Bytes [90, E9, A3, B6, 3B, EA] {NOP ; JMP 0xffffffffea3bb6a9}
.text advapi32.dll!SetSecurityInfo 75B99EDF 8 Bytes [90, E9, 9B, 95, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b95a1; NOP ; NOP }
.text advapi32.dll!SetNamedSecurityInfoW 75B99FE2 8 Bytes [90, E9, 50, 97, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b9756; NOP ; NOP }
.text advapi32.dll!EnumServicesStatusExW 75B9B466 7 Bytes [90, E9, 8C, 76, 3B, EA, 90] {NOP ; JMP 0xffffffffea3b7692; NOP }
.text advapi32.dll!QueryServiceConfigW 75B9B537 6 Bytes [90, E9, 6B, 65, 3B, EA] {NOP ; JMP 0xffffffffea3b6571}
.text advapi32.dll!CreateProcessAsUserW 75B9C592 6 Bytes [90, E9, 60, 21, 3B, EA] {NOP ; JMP 0xffffffffea3b2166}
.text advapi32.dll!OpenServiceW 75B9CA4C 6 Bytes [90, E9, 76, 45, 3B, EA] {NOP ; JMP 0xffffffffea3b457c}
.text advapi32.dll!OpenSCManagerW 75B9CA64 6 Bytes [90, E9, EE, 3F, 3B, EA] {NOP ; JMP 0xffffffffea3b3ff4}
.text advapi32.dll!QueryServiceStatus 75BA2A86 6 Bytes [90, E9, AC, EA, 3A, EA] {NOP ; JMP 0xffffffffea3aeab2}
.text advapi32.dll!OpenSCManagerA 75BA2BD8 6 Bytes [90, E9, 1E, DD, 3A, EA] {NOP ; JMP 0xffffffffea3add24}
.text advapi32.dll!OpenServiceA 75BA2BF0 6 Bytes [90, E9, 76, E2, 3A, EA] {NOP ; JMP 0xffffffffea3ae27c}
.text advapi32.dll!AdjustTokenPrivileges 75BA418E 6 Bytes [90, E9, 20, EC, 3A, EA] {NOP ; JMP 0xffffffffea3aec26}
.text advapi32.dll!SetKernelObjectSecurity 75BA4645 6 Bytes [90, E9, 7D, EB, 3A, EA] {NOP ; JMP 0xffffffffea3aeb83}
.text advapi32.dll!CreateServiceW 75BB712C 6 Bytes [90, E9, DE, 9B, 39, EA] {NOP ; JMP 0xffffffffea399be4}
.text advapi32.dll!ControlService 75BB7144 6 Bytes [90, E9, A6, A6, 39, EA] {NOP ; JMP 0xffffffffea39a6ac}
.text advapi32.dll!DeleteService 75BB715C 6 Bytes [90, E9, C2, 9F, 39, EA] {NOP ; JMP 0xffffffffea399fc8}
.text advapi32.dll!QueryServiceConfigA 75BB9A4F 6 Bytes [90, E9, F7, 7E, 39, EA] {NOP ; JMP 0xffffffffea397efd}
.text advapi32.dll!EnumServicesStatusExA 75BBA3E2 7 Bytes [90, E9, B4, 85, 39, EA, 90] {NOP ; JMP 0xffffffffea3985ba; NOP }
.text advapi32.dll!CreateProcessAsUserA 75BD2538 7 Bytes [90, E9, 16, C3, 37, EA, 90] {NOP ; JMP 0xffffffffea37c31c; NOP }
.text advapi32.dll!ChangeServiceConfig2A 75BD30C8 6 Bytes [90, E9, 5E, F3, 37, EA] {NOP ; JMP 0xffffffffea37f364}
.text advapi32.dll!ChangeServiceConfig2W 75BD30D8 6 Bytes [90, E9, AA, F4, 37, EA] {NOP ; JMP 0xffffffffea37f4b0}
.text advapi32.dll!ChangeServiceConfigA 75BD30E8 6 Bytes [90, E9, 86, F0, 37, EA] {NOP ; JMP 0xffffffffea37f08c}
.text advapi32.dll!ChangeServiceConfigW 75BD30F8 6 Bytes [90, E9, D2, F1, 37, EA] {NOP ; JMP 0xffffffffea37f1d8}
.text advapi32.dll!CreateServiceA 75BD3158 6 Bytes [90, E9, 56, DA, 37, EA] {NOP ; JMP 0xffffffffea37da5c}
.text advapi32.dll!QueryServiceConfig2A 75BD33E9 6 Bytes [90, E9, 15, E8, 37, EA] {NOP ; JMP 0xffffffffea37e81b}
.text advapi32.dll!QueryServiceConfig2W 75BD33F9 6 Bytes [90, E9, 61, E9, 37, EA] {NOP ; JMP 0xffffffffea37e967}
.text advapi32.dll!SetServiceObjectSecurity 75BD3533 6 Bytes [90, E9, EB, FD, 37, EA] {NOP ; JMP 0xffffffffea37fdf1}
.text advapi32.dll!StartServiceA 75BD3543 6 Bytes [90, E9, 37, DD, 37, EA] {NOP ; JMP 0xffffffffea37dd3d}
.text advapi32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes [90, E9, AD, 92, 37, EA, 90, ...] {NOP ; JMP 0xffffffffea3792b3; NOP ; NOP }
.text advapi32.dll!InitiateSystemShutdownW 75BEDA6D 8 Bytes [90, E9, 75, 6E, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea366e7b; NOP ; NOP }
.text advapi32.dll!InitiateSystemShutdownExW 75BEDB3A 8 Bytes [90, E9, 60, 70, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea367066; NOP ; NOP }
.text advapi32.dll!AbortSystemShutdownW 75BEDD60 6 Bytes [90, E9, F2, 70, 36, EA] {NOP ; JMP 0xffffffffea3670f8}
.text advapi32.dll!EnumServicesStatusA 75BF2021 7 Bytes [90, E9, BD, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea3606c3; NOP }
.text advapi32.dll!EnumDependentServicesA 75BF2104 7 Bytes [90, E9, B2, FD, 35, EA, 90] {NOP ; JMP 0xffffffffea35fdb8; NOP }
.text advapi32.dll!EnumServicesStatusW 75BF2221 7 Bytes [90, E9, 19, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea36061f; NOP }
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[892] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[976] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 75C3204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 75C32082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 75C75079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
.text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
.text ...