Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Virtumonde gone (I think) but PC slower than before infection


  • Please log in to reply
7 replies to this topic

#1 nashydan

nashydan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 January 2009 - 03:43 PM

Hi

I hope I am posting this in the correct place.

My boyfriend clicked on a link in a chatroom last weekend and somehow ended up infecting our PC with Vundo/Virtumonde.

Before the infection we had no PC problems that we were aware of. After the infection we had lots of pop ups, the PC would often crash and a blue screen would appear with the error message stating ‘a problem has been detected and windows has been shutdown to prevent damage to your computer…..’. Another box would also pop up from time to time saying: ‘Generic Host process for Win 32 Services has encountered a problem and needs to close. The system is shutting down. This shutdown was initiated by NT AUTHORITY SYSTEM. Windows must now re-start because the Dcom Server Process Launcher Service terminated unexpectedly’. The PC also became slower on start up.

We had Macafee installed but somehow we still got infected.

Since infection I have been trying lots of free programs, spybot, superantispyware and malwarebytes anti-malware. They all picked up things which I deleted and the new scans of these show no infections. I think I have therefore managed to get rid of it. The above pops ups & messages have all gone but the PC is still slow on start up so I am worried all is not as it was before the infection.

Once I reach the desktop I have to wait about 2 minutes before I can open a browser window to use the internet. Before infection once the PC was turned on I could access the internet within about 10 seconds.

I am very worried something might still be lurking on my PC and therefore am not willing to use internet banking or buy anything online. How can I be sure I have got rid of the virus?

Can someone suggest something?!

Many thanks for reading.

SYSTEM: Microsoft Windows XP Media Centre Edition version 2002 service pack 3

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 10 January 2009 - 03:48 PM

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
• Click the Logs Tab at the top.
mbam-log-2008-10-12(13-35-16).txt should show in the list. <- your dates will be different from this exampe
• Click on the log name to highlight it.
• Go to the bottom and click on Open.
• The log should automatically open in notepad as a text file.
• Go to Edit and choose Select all.
• Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
• Come back to this thread, click Add Reply, then right-click and choose Paste.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nashydan

nashydan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 January 2009 - 03:53 PM

Hope this is right:


Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

10/01/2009 19:51:03
mbam-log-2009-01-10 (19-51-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150705
Time elapsed: 1 hour(s), 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 10 January 2009 - 04:00 PM

Do you have a log prior to this one showing what malware was detected/removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 nashydan

nashydan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 January 2009 - 04:01 PM

And here's the 1st scan results that I did on 08/01/09 (not sure if you need these)


Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

08/01/2009 20:02:26
mbam-log-2009-01-08 (20-02-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148938
Time elapsed: 46 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rrhvasyg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rrwphe.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0907aa9-a41e-4ebc-b23e-0b342e5a89e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0907aa9-a41e-4ebc-b23e-0b342e5a89e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0907aa9-a41e-4ebc-b23e-0b342e5a89e5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8491a8c (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rrwphe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rrhvasyg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gysavhrr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\RS46JB8U\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tash\Local Settings\Temp\senekaabe4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tash\Local Settings\Temporary Internet Files\Content.IE5\BSQT1CVO\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tash\Local Settings\Temporary Internet Files\Content.IE5\OMAYUS95\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njqvtwas.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcjimhav.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekagmfnlsbp.dll (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekavacgnnsq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekahpdxijwx.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekankirsklt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaqmitexdf.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekativkdipr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaalxjdulh.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaixyidyav.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaornspyfq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaptamrflx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaqouaxtmt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekasovkbeyn.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekathlvixbk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 PM

Posted 10 January 2009 - 05:03 PM

Hello.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/Backdoor.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Download and run MalwareBytes Anti-Malware(Full Scan)

Please download Malwarebytes Anti-Malware and save it to your desktop if you lost your copy and need to install it, otherwise skip the installation step and continue with the Full Scan.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with the logs, once you are done. Nex post we may need to run another stronger tool to deal with the leftover infections that may be still active/alive.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 nashydan

nashydan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 15 January 2009 - 04:44 PM

Sorry I have been ages in replying. Have changed passwords etc as recommended on another computer.

Questions:

1) Will re-formatting definately get rid of all possible problems with the infection? I am happy to re-format but never done before so would need some step by step instructions.

2) I have already posted malwarebytes log - do you want another?

3) In my Dell owners manual they have a thing called 'Dell PC Restore' which restores the hard drive to the operating state it was when the computer was purchased. It claims to permanently delete all data on the hard drive and removes any applications installed. it says to use it only if System Restore did not resolve operating system problem. Any thoughts on this? Is this like reformatting but not as good?

Here's the GMER log, hope I have done it correctly, it seems v. long

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-15 21:31:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwCreateFile [0xED8309B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwCreateKey [0xED830A49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwCreateProcess [0xED83095D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwCreateProcessEx [0xED830976]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwDeleteKey [0xED830A5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwDeleteValueKey [0xED830A89]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwEnumerateKey [0xED830AF7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwEnumerateValueKey [0xED830AE1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwMapViewOfSection [0xED8309F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwNotifyChangeKey [0xED830B23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwOpenKey [0xED830A35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwOpenProcess [0xED830930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwOpenThread [0xED830944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwProtectVirtualMemory [0xED8309C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwQueryKey [0xED830B5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwQueryMultipleValueKey [0xED830ACB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwQueryValueKey [0xED830AB5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwRenameKey [0xED830A73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwReplaceKey [0xED830B4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwRestoreKey [0xED830B37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwSetContextThread [0xED83099E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwSetInformationProcess [0xED83098A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwSetValueKey [0xED830A9F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwTerminateProcess [0xED830A21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwUnloadKey [0xED830B0D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwUnmapViewOfSection [0xED830A08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) ZwYieldExecution [0xED8309DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,

Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution

80504AE8 7 Bytes JMP ED8309E0

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile

80579084 5 Bytes JMP ED8309B6

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection

805B2006 7 Bytes JMP ED8309F6

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection

805B2E14 5 Bytes JMP ED830A0C

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory

805B83E6 7 Bytes JMP ED8309CA

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess

805CB408 5 Bytes JMP ED830934

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread

805CB694 5 Bytes JMP ED830948

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess

805CDE52 5 Bytes JMP ED83098E

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx

805D1142 7 Bytes JMP ED83097A

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess

805D11F8 5 Bytes JMP ED830961

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread

805D1702 5 Bytes JMP ED8309A2

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess

805D29AA 5 Bytes JMP ED830A25

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey

806219CA 7 Bytes JMP ED830AB9

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey

80621D18 7 Bytes JMP ED830AA3

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey

80622042 7 Bytes JMP ED830B11

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey

806228E0 7 Bytes JMP ED830ACF

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey

806231B4 7 Bytes JMP ED830A77

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey

80623792 5 Bytes JMP ED830A4D

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey

80623C22 7 Bytes JMP ED830A61

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey

80623DF2 7 Bytes JMP ED830A8D

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey

80623FD2 7 Bytes JMP ED830AFB

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey

8062423C 7 Bytes JMP ED830AE5

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey

80624B64 5 Bytes JMP ED830A39

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey

80624E8A 7 Bytes JMP ED830B63

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey

8062514A 5 Bytes JMP ED830B3B

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey

8062583E 5 Bytes JMP ED830B4F

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey

80625958 5 Bytes JMP ED830B27

\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[324] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 01A9ED60 C:\Program

Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[324] kernel32.dll!SetUnhandledExceptionFilter

7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN

Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 0385000A
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 0385007B
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 03850F7C
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 03850F8D
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 03850FA8
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 03850040
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 03850F35
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 03850F50
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 03850F02
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 03850F13
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 03850EE7
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 03850FB9
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 0385001B
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 03850F6B
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 03850FCA
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 03850FE5
.text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 03850F24
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 03550FE5
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 03550047
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 03550036
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 0355001B
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 03550F94
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 03550000
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 03550FAF
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes [ 75, 8B ]
.text C:\WINDOWS\Explorer.EXE[740] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 03550FCA
.text C:\WINDOWS\Explorer.EXE[740] WININET.dll!InternetOpenA

7806C865 5 Bytes JMP 03560FE5
.text C:\WINDOWS\Explorer.EXE[740] WININET.dll!InternetOpenW

7806CE99 5 Bytes JMP 03560FD4
.text C:\WINDOWS\Explorer.EXE[740] WININET.dll!InternetOpenUrlA

78070BCA 5 Bytes JMP 0356000A
.text C:\WINDOWS\Explorer.EXE[740] WININET.dll!InternetOpenUrlW

780BAEB9 5 Bytes JMP 03560FB9
.text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!socket

71AB4211 5 Bytes JMP 03530FEF
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 00070F8B
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 000700BD
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 00070F2E
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 00070F09
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 0006009B
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 0006008A
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 0006006F
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[1016] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 00A90098
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 00A90FA3
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 00A9007D
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 00A90062
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 00A90047
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 00A90F75
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 00A900BD
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 00A90104
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 00A900E9
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 00A9011F
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 00A90FC0
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 00A90F92
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 00A900D8
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 00A8006C
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 00A80047
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\lsass.exe[1028] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 0266000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 02660F5C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 02660F6D
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 02660F7E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 02660047
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 02660FCA
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 0266006C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 02660F30
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 02660EF8
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 02660F09
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 026600AC
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 02660FA5
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 0266001B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 02660F41
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 02660FDB
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 0266002C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 0266007D
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 02650FC3
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 02650FA1
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 02650FD4
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 02650FE5
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 0265005E
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 02650043
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 02650FB2
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket

71AB4211 5 Bytes JMP 02630FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 00FF0F6D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 00FF0F7E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 00FF00A9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 00FF0098
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 00FF0F24
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 00FF0F35
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 00FF00D8
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 00FF0087
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 00FF0F46
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 00CA004A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 00CA002F
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 00CA0F97
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes JMP 50C03388
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 00CA0FB2
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 02CD0000
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 02CD00B0
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 02CD009F
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 02CD0084
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 02CD0069
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 02CD0058
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 02CD00D5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 02CD0F8D
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 02CD0112
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 02CD0101
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 02CD0F54
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 02CD0FC7
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 02CD0011
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 02CD0FAA
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 02CD0047
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 02CD002C
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 02CD00E6
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 026C001B
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 026C0F9E
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 026C0FC0
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 026C0FE5
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 026C0051
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 026C0000
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 026C0FAF
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes [ 8C, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 026C0036
.text C:\WINDOWS\System32\svchost.exe[1480] WS2_32.dll!socket

71AB4211 5 Bytes JMP 026A000A
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenA

7806C865 5 Bytes JMP 026D0000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenW

7806CE99 5 Bytes JMP 026D0FDB
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlA

78070BCA 5 Bytes JMP 026D001B
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlW

780BAEB9 5 Bytes JMP 026D0FCA
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 008B0F6D
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 008B0062
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 008B0F94
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 008B0FA5
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 008B00A4
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 008B0089
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 008B00C9
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 008B0F30
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 008B00DA
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 008B0051
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 008B0F52
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 008B0036
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 008B0F41
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 008A0047
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 008A007D
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 008A0036
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 008A0FCA
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 008A006C
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 008A0FDB
.text C:\WINDOWS\system32\svchost.exe[1652] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00880000
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 00CB0F5E
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 00CB0053
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 00CB0F79
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 00CB0F37
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 00CB007F
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 00CB0F0B
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 00CB0F1C
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 00CB00BF
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 00CB006E
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1832] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 00CB009A
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 00AF0FB2
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 00AF0F83
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 00AF0040
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 00AF002F
.text C:\WINDOWS\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 00AF0014
.text C:\WINDOWS\system32\svchost.exe[1832] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1832] WININET.dll!InternetOpenA

7806C865 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1832] WININET.dll!InternetOpenW

7806CE99 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[1832] WININET.dll!InternetOpenUrlA

78070BCA 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1832] WININET.dll!InternetOpenUrlW

780BAEB9 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 001A0082
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 001A00B3
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 001A0F61
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 001A00D5
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 001A00F0
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\svchost.exe[2256] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 001A00C4
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 00290040
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 0029006F
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00290025
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 00290FB2
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 00290FCD
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\system32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 00D10F8A
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 00D1007F
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 00D1006E
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 00D10FA5
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 00D10F59
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 00D100A1
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 00D10F37
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 00D100C6
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 00D10F26
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 00D10FB6
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 00D10090
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 00D10F48
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 00D00076
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 00D00065
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes [ F0, 88 ]
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\svchost.exe[2336] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00CE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 0345000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 03450F8B
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 03450FA6
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 03450080
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 03450FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 03450040
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 034500B8
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 03450F70
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateProcessW

7C802336 1 Byte [ E9 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateProcessW + 2

7C802338 3 Bytes [ EB, C4, 86 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 03450F4B
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 03450F29
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 03450065
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 0345001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 0345009B
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 03450FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 03450FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 034500C9
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 03430000
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 03430047
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 03430FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 03430FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 03430036
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 03430FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegCreateKeyW

77DFBA25 5 Bytes JMP 0343001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 03430F94
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!DialogBoxParamW

7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!DialogBoxIndirectParamW

7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!MessageBoxIndirectA

7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!DialogBoxParamA

7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!MessageBoxExW

7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!MessageBoxExA

7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!DialogBoxIndirectParamA

7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] USER32.dll!MessageBoxIndirectW

7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll

(Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] WS2_32.dll!socket

71AB4211 5 Bytes JMP 01BE0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] WININET.dll!InternetOpenA

7806C865 5 Bytes JMP 03440FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] WININET.dll!InternetOpenW

7806CE99 5 Bytes JMP 0344000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] WININET.dll!InternetOpenUrlA

78070BCA 5 Bytes JMP 03440FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3260] WININET.dll!InternetOpenUrlW

780BAEB9 5 Bytes JMP 0344002F
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateFileA

7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!VirtualProtectEx

7C801A61 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!VirtualProtect

7C801AD4 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!LoadLibraryExW

7C801AF5 5 Bytes JMP 001A002F
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!LoadLibraryExA

7C801D53 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!GetStartupInfoW

7C801E54 5 Bytes JMP 001A0F13
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!GetStartupInfoA

7C801EF2 5 Bytes JMP 001A0065
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateProcessW

7C802336 5 Bytes JMP 001A00A2
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateProcessA

7C80236B 5 Bytes JMP 001A0091
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!GetProcAddress

7C80AE30 5 Bytes JMP 001A00B3
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateFileW

7C8107F0 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreatePipe

7C81D827 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateNamedPipeW

7C82F0C5 5 Bytes JMP 001A0FCD
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!CreateNamedPipeA

7C860B7C 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\system32\dllhost.exe[3676] kernel32.dll!WinExec

7C8623AD 5 Bytes JMP 001A0076
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegOpenKeyExW

77DD6A9F 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegCreateKeyExW

77DD775C 5 Bytes JMP 002A004A
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegOpenKeyExA

77DD7842 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegOpenKeyW

77DD7936 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegCreateKeyExA

77DDE9E4 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegOpenKeyA

77DDEFB8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegCreateKeyW

77DFBA25 2 Bytes JMP 002A0F97
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegCreateKeyW + 3

77DFBA28 2 Bytes [ 4A, 88 ]
.text C:\WINDOWS\system32\dllhost.exe[3676] ADVAPI32.dll!RegCreateKeyA

77DFBCC3 5 Bytes JMP 002A0014
.text C:\WINDOWS\system32\dllhost.exe[3676] WS2_32.dll!socket

71AB4211 5 Bytes JMP 00A70FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3944] kernel32.dll!LoadLibraryA

7C801D7B 5 Bytes JMP 0041C340

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3944] kernel32.dll!LoadLibraryW

7C80AEDB 5 Bytes JMP 0041C3C0

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[ADVAPI32.dll!RegQueryValueA] 00D4FF90
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[ADVAPI32.dll!RegCreateKeyExW] 00D4FC80
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetProcAddress] 00D48770
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryA] 00D49CB0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!CloseHandle] 00D4CE20
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!FreeLibrary] 00D4AA00
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryW] 00D49FE0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!CreateFileW] 00D4C160
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GlobalUnlock] 00D4F160
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GlobalLock] 00D4F1A0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetProcessHeap] 00D502E0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!FindFirstFileW] 00D4ED50
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!DuplicateHandle] 00D4CD80
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!CreateThread] 00D4B520
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryExW] 00D4A6B0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetEnvironmentStringsW] 00D4AFA0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!IsDebuggerPresent] 00D50860
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!ReadFile] 00D4C4B0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!SetFilePointer] 00D4CBE0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!MapViewOfFileEx] 00D4D810
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!CreateFileMappingW] 00D4D2F0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!MapViewOfFile] 00D4D790
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!OpenFileMappingW] 00D4E2B0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!UnmapViewOfFile] 00D4D980
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryExA] 00D4A360
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!TerminateProcess] 00D4B3D0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GlobalAlloc] 00D4F280
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!FlushViewOfFile] 00D4D430
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetFileSize] 00D4CD20
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!WriteFile] 00D4C8E0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetFileType] 00D4CF30
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!GetACP] 00D50300
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!CreateFileMappingA] 00D4D230
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[USER32.dll!LoadIconW] 00D505A0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[USER32.dll!LoadCursorW] 00D50540
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[USER32.dll!CreateDialogParamW] 00D50790
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[USER32.dll!DialogBoxParamW] 00D50830
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[596] @ C:\WINDOWS\system32\ole32.dll

[USER32.dll!LoadStringW] 00D50660

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat

B4A49D20

AttachedDevice \FileSystem\Fastfat \Fat

fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat

SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs

DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 PM

Posted 15 January 2009 - 06:23 PM

Hello.

If you want to format then I don't need to see the MBAM log.

1) Will re-formatting definately get rid of all possible problems with the infection? I am happy to re-format but never done before so would need some step by step instructions.

Yes, they will get removed once you format you whole computer.

2) I have already posted malwarebytes log - do you want another?

Not necessary if you are going to format.

3) In my Dell owners manual they have a thing called 'Dell PC Restore' which restores the hard drive to the operating state it was when the computer was purchased. It claims to permanently delete all data on the hard drive and removes any applications installed. it says to use it only if System Restore did not resolve operating system problem. Any thoughts on this? Is this like reformatting but not as good?

Not familiar with it, but to the sounds of it, it's not as good as a format. Not even as good as a reinstall because it only removed data files, and malware can be hidden and in system files as well and also registry keys etc...

Regarding on how to format in Windows XP please refer to this tutorial.

Hope that helps and good luck on the format. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users