Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have an infection,


  • This topic is locked This topic is locked
5 replies to this topic

#1 cvmonk

cvmonk

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 05 November 2008 - 09:00 PM

Here is the Gamer doc

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-05 12:01:06
Windows 5.1.2600 Service Pack 3, v.3264


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEC4FF9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEC4FF958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEC4FF96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEC4FF9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEC4FF930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEC4FF944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEC4FF9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEC4FF996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEC4FF982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEC4FFA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEC4FFA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEC4FF9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EC4FF9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F610 5 Bytes JMP EC4FF9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570451 5 Bytes JMP EC4FF986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741E0 5 Bytes JMP EC4FF934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057458F 7 Bytes JMP EC4FF9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578616 5 Bytes JMP EC4FFA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A91 7 Bytes JMP EC4FF9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581034 7 Bytes JMP EC4FF970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B4 5 Bytes JMP EC4FFA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B591 5 Bytes JMP EC4FF948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B1372 5 Bytes JMP EC4FF95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCDF 5 Bytes JMP EC4FF99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80096
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80085
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80FA1
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80FB2
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F6B
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F7C
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800D8
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F3F
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E80F1A
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E800A7
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E80F5A
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E70022
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E70062
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E70FD1
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E70F9B
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E70FAC
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 07, 89 ]
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E70033
.text C:\WINDOWS\system32\services.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90087
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F92
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90FA3
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900B5
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F6D
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F48
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900E1
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E90F37
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E90FC0
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E90098
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E900D0
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E8007D
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E8006C
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E8005B
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60FEF
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0064
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F6F
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0053
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8A
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0011
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F2D
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0075
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AB
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0090
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EF7
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A002C
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F4A
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FAF
.text C:\Program Files\Messenger\msmsgs.exe[856] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F12
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0051
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0011
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F9E
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0036
.text C:\Program Files\Messenger\msmsgs.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FB9
.text C:\Program Files\Messenger\msmsgs.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[856] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 002C000A
.text C:\Program Files\Messenger\msmsgs.exe[856] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[856] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 002C0025
.text C:\Program Files\Messenger\msmsgs.exe[856] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 002C0040
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F94
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0089
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0062
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0047
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD002C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0F66
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0F77
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD00C9
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD0F30
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00AD00DA
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00AD0FA5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00AD00AE
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00AD0F55
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AC0FDB
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AC005B
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AC0F9E
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ CC, 88 ]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA000A
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F61
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F72
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0EFD
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F0E
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0ED8
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A007B
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EC7
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F29
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[920] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0060
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290033
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0029005F
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290022
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290011
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FA2
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290044
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 1 Byte [ E9 ]
.text C:\WINDOWS\Explorer.EXE[920] ADVAPI32.dll!RegCreateKeyA + 2 77DFBCC5 3 Bytes [ 52, 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[920] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[920] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[920] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[920] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\Explorer.EXE[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B80FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80096
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D8007B
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F97
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D800BD
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80F75
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800E9
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D80F3F
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D80F86
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D800D8
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D70047
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D70076
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D70FB9
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025D0FEF
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025D0076
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025D0065
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025D0F8B
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025D0FA8
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025D0039
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025D0F4B
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025D0F5C
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025D00BF
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025D0F26
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025D00D0
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 025D0054
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 025D0014
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 025D0087
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 025D0FC3
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 025D0FDE
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025D00A4
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 025C0047
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 025C0FA5
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 025C0036
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 025C001B
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 025C0FC0
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 025C0000
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 025C0062
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 025C0FDB
.text C:\WINDOWS\System32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025A0FEF
.text C:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 02590FEF
.text C:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 02590FDE
.text C:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 02590FC3
.text C:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 02590FB2
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0077000A
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F72
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F83
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F94
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770FA5
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770047
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00770082
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770F46
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700B8
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0077009D
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007700C9
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00770FB6
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0077001B
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00770F61
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00770FE5
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0077002C
.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00770F29
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00760014
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00760F8A
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00760FC3
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00760FD4
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00760047
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00760FE5
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00760036
.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00760025
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FE5
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20082
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20071
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F97
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20FA8
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F55
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D200A7
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20F29
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D200C2
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D20F18
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D2000A
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20F7C
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D20036
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D2001B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D20F44
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D1005B
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10025
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D10040
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00CE0011
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30093
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30082
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F3005B
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F3002F
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300BF
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F77
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F48
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300EB
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F300FC
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F3004A
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F30014
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F300A4
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F300DA
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F20040
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F2000A
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F20F83
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F20F9E
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 12, 89 ]
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F20025
.text C:\WINDOWS\System32\svchost.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F0000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1916] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250FE5
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00250F6B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250060
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00250F7C
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250F97
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250FA8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002500A2
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250F50
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250F3F
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002500CE
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002500FD
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00250039
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0025000A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0025007B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250FB9
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00250FD4
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 002500BD
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00350FCA
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00350F94
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0035001B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00350000
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00350051
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00350FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00350FA5
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 55, 88 ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2100] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0035002C
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0060
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F6B
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0045
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0028
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0F97
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0093
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0082
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A00C9
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A00AE
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006A00DA
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 006A0F86
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 006A0071
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 006A0FA8
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 006A0FC3
.text C:\WINDOWS\System32\svchost.exe[2204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006A0F30
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 3 Bytes JMP 00690FD4
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AA3 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 3 Bytes JMP 00690F83
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7760 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 3 Bytes JMP 00690025
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7846 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyW 77DD7936 3 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyW + 4 77DD793A 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 3 Bytes JMP 00690F9E
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9E8 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 3 Bytes JMP 0069000A
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFBC 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00690040
.text C:\WINDOWS\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00690FB9
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0FA2
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A00A1
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0090
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0069
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0047
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F74
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F91
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E8
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D7
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0103
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0058
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00BC
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A002C
.text C:\WINDOWS\Explorer.EXE[3168] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F63
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FCA
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F7C
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FDB
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290011
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F97
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[3168] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[3168] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3168] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[3168] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 002C0014
.text C:\WINDOWS\Explorer.EXE[3168] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[3168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01920000
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FE5
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260058
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F6D
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8A
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F9B
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026002C
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F35
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F52
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260EF8
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F13
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00260EE7
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0026003D
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00260FD4
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00260073
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0026001B
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0026000A
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00260F24
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00350014
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00350F72
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00350FCD
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00350FDE
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00350F8D
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00350FEF
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00350F9E
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 55, 88 ]
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00350025
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00370FEF
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 0037000A
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 0037001B
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00370FD4
.text C:\PROGRA~1\WINZIP\winzip32.exe[3304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0082
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B8
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00E9
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0104
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B00A7
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[3440] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0F6B
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0054
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[3440] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250000
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00250F66
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250F81
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00250F92
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00250F33
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250F44
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002500A0
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250F07
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002500B1
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00250047
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00250011
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00250F55
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250036
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00250FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00250F22
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00340036
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00340F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0034001B
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0034000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00340FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00340FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00340FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 54, 88 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00340FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!DialogBoxParamW 7E425204 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!DialogBoxIndirectParamW 7E432082 5 Bytes JMP 430A17EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!MessageBoxIndirectA 7E43A08A 5 Bytes JMP 430A1770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!DialogBoxParamA 7E43B14C 5 Bytes JMP 430A17B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!MessageBoxExW 7E4507F8 1 Byte [ E9 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!MessageBoxExW + 2 7E4507FA 3 Bytes [ 0E, C5, C4 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!MessageBoxExA 7E45081C 5 Bytes JMP 430A1736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!DialogBoxIndirectParamA 7E456D78 5 Bytes JMP 430A182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] USER32.dll!MessageBoxIndirectW 7E4664CD 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 01670000
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 01670011
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 01670FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 01670036
.text C:\Program Files\Internet Explorer\iexplore.exe[6124] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02B80000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\HPBPRO.EXE (*** hidden *** ) 3292

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.14 ----

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:47 AM

Posted 05 November 2008 - 09:26 PM

Welcome to BC
Never used Gmer, wouldn't know how to decipher the log. If you care to run Mbam, I'll take a look
----------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 cvmonk

cvmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 06 November 2008 - 02:13 PM

When I run MBam it finds no infection. In the privious list you will notice their is a hidden file in the registry and it is highlighted in red. Is this normal. If not how do I get rid of it. Thanks

Edited by cvmonk, 06 November 2008 - 02:17 PM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:47 AM

Posted 06 November 2008 - 04:25 PM

I am not part of the HJT team nor experienced enough to suggest deleting registry keys
Your best bet would be to prepare a HJY log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post it in the proper forum, here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 cvmonk

cvmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 08 November 2008 - 01:26 PM

I ran McAfee Root Detective and it found
1002 hidden processess and files
22 hidden registry keys/values
no hooked services

Do I delete these are what?
thanks

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:47 AM

Posted 13 November 2008 - 08:49 PM

Hello cvmonk,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/178759/computor-still-infected/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult. Please note that I have merged your newer HJT topic with your earlier one for the same reason. I also deleted your latest topic in the Am I Infected forum as the content was identical to the content of your latest post in this thread.

Because you have a HiJack This log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users