Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.gen.ab Trojan Removal


  • Please log in to reply
11 replies to this topic

#1 Stylese

Stylese

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 06 November 2009 - 11:20 AM

Over the last few days, my computer has been totally bogged down by what McAfee is calling Vundo.gen.ab Trojan. I have unsuccessfully ran a handful of scans which puport to have found usually between 10-20 files that are usually quarantined. However, as soon as the scan is finished, the Trojan comes back and the same problem persists. I have McAfee and Ad-Aware currently installed as spyware and virus protectors...I'm ready to try anything, as I've exhausted my very, very lmited technical skill-set. I'm extremely limited in my computer knowledge, so be gentle!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 06 November 2009 - 12:01 PM

Hi Stylese, please follow the steps below :thumbsup:[

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Edited by elise025, 06 November 2009 - 12:02 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 neilmac

neilmac

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 06 November 2009 - 12:19 PM

get these programs
antivir its great at http://www.avira.com
spybot search and destroy from http://www.safer-networking.org/en/home/index.html
malwarebytes spyware scanner at http://www.malwarebytes.org/mbam.php
you can run more than one spware scanner but only one antivirus. these are all free but dont let the free scare u off antivir has found viruses for me that others have failed to and i have tried many. just uninstall your current antivirus leave the spyware scanner though if u can having two or three of them is good to have. i hope this helps

Edited by garmanma, 07 November 2009 - 10:21 PM.
RemoveHJT reference-MG


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 06 November 2009 - 12:28 PM

Hi Stylese, please try this

- Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. Others may delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors.

One way to resolve this is to download and install Malwarebytes Anti-Malware on a non-infected computer.
  • After installation, open Windows Explorer and navigate to the C:\Program Files\Malwarebytes' Anti-Malware\ folder where mbam.exe is located.
  • Copy the mbam.exe file to the Desktop and rename it to wuauclt.exe or explorer.exe.
  • Save the renamed file to a usb flash drive or CD, then transfer to the infected computer.
    • Another option is to upload the file somewhere so you can download it later to the infected computer.
    • If you do not have access to another computer, ask a friend to email or upload a renamed mbam.exe for you and provide a link to download it.
  • Place the renamed mbam.exe in the C:\Program Files\Malwarebytes' Anti-Malware folder on the infected computer, then double-click on it to launch the program.
  • Check for database definition updates through the program's interface.
  • Then perform a Quick Scan, check all items found for removal and reboot afterwards.
  • Failure to reboot will prevent MBAM from removing all the malware.
  • When done, click the Logs tab and copy/paste the contents of the report in your next reply.

To avoid infecting your clean laptop, I recommend you to use Flash Disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Stylese

Stylese
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 06 November 2009 - 04:01 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/6/2009 2:47:42 PM
mbam-log-2009-11-06 (14-47-42).txt

Scan type: Quick Scan
Objects scanned: 110029
Time elapsed: 1 hour(s), 23 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\vojedayu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ropufapaw (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vojedayu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vojedayu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Adware Professional (Rogue.AdwarePro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\SYSTEM32\vojedayu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Adware Professional\noadware4_073109.na (Rogue.AdwarePro) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hapoyivu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wotupogo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 06 November 2009 - 04:04 PM

Hi, I suspect there will still be some vundo and other nasty stuff there :/

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Stylese

Stylese
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 November 2009 - 07:58 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2009 at 10:55 PM

Application Version : 4.29.1004

Core Rules Database Version : 4240
Trace Rules Database Version: 2136

Scan type : Complete Scan
Total Scan Time : 03:39:26

Memory items scanned : 600
Memory threats detected : 1
Registry items scanned : 7441
Registry threats detected : 15
File items scanned : 24912
File threats detected : 46

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\WANISUPA.DLL
C:\WINDOWS\SYSTEM32\WANISUPA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{6dd80ecc-5a26-4670-8eab-53046bd206e5}
HKCR\CLSID\{6DD80ECC-5A26-4670-8EAB-53046BD206E5}
HKCR\CLSID\{6dd80ecc-5a26-4670-8eab-53046bd206e5}\InprocServer32
HKCR\CLSID\{6dd80ecc-5a26-4670-8eab-53046bd206e5}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{a701040d-6fcc-421f-8813-db9324b128ae}
HKCR\CLSID\{A701040D-6FCC-421F-8813-DB9324B128AE}
HKCR\CLSID\{a701040d-6fcc-421f-8813-db9324b128ae}\InprocServer32
HKCR\CLSID\{a701040d-6fcc-421f-8813-db9324b128ae}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#sidogabus
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#doketabaz

Adware.Vundo/Variant-SR
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{ece30837-f450-4d26-91b5-883247ab6764}
HKCR\CLSID\{ECE30837-F450-4D26-91B5-883247AB6764}
HKCR\CLSID\{ece30837-f450-4d26-91b5-883247ab6764}\InprocServer32
HKCR\CLSID\{ece30837-f450-4d26-91b5-883247ab6764}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VOJEDAYU.DLL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#nanifunuj

Adware.Tracking Cookie
C:\Documents and Settings\Rogi\Cookies\rogi@invitemedia[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@insightexpressai[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@mediatraffic[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@ads.bridgetrack[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@tacoda[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@adrevolver[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@bluestreak[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@ads.pointroll[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@mediaplex[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@bs.serving-sys[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@doubleclick[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@ad.yieldmanager[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@semdirector.112.2o7[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@atwola[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@advertising[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@serving-sys[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@ar.atwola[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@statse.webtrendslive[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@tribalfusion[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@adinterax[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@trafficmp[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@insightexpressai[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@realmedia[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@ad.yieldmanager[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@atdmt[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@atwola[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@content.yieldmanager[3].txt
C:\Documents and Settings\Rogi\Cookies\rogi@cdn.at.atwola[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@a1.interclick[3].txt
C:\Documents and Settings\Rogi\Cookies\rogi@mediaplex[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@linksynergy[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@revsci[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@bluestreak[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@specificmedia[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@burstnet[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@myroitracking[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@at.atwola[2].txt
C:\Documents and Settings\Rogi\Cookies\rogi@a1.interclick[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@interclick[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@petfinder[1].txt
C:\Documents and Settings\Rogi\Cookies\rogi@richmedia.yahoo[2].txt

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\BUSONEKE.DLL
C:\WINDOWS\SYSTEM32\HUJEZIVA.DLL
C:\WINDOWS\SYSTEM32\PUSUPURO.DLL












The computer is moving much, much faster...I think the nightmare is mostly over although I did try to open internet explorer and I got hit with 2 google popups right away (my homepage is yahoo) so I did not want to push my luck by cruising the internet on the crap laptop...But the computer is moving lightyears faster than it was yesterday, I can click and open programs and the computer is responsive!
Hopefully this log will shed some light on what's goin on here....Thanks again!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 07 November 2009 - 08:09 AM

Yes, it does :thumbsup: You still had some vundo fleeing around there!

Time for a rootkit scan!

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Stylese

Stylese
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 November 2009 - 06:41 PM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 18:35:39
Windows 5.1.2600 Service Pack 3
Running: 29ctmg6m.exe; Driver: C:\DOCUME~1\Rogi\LOCALS~1\Temp\pxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF758F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF758FBFE]
SSDT \??\C:\Documents and Settings\Rogi\Desktop\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEDE690B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEDDAB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEDDAB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEDDAB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEDDAB837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEDDAB863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEDDAB8D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEDDAB8BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEDDAB7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEDDAB8FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEDDAB80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEDDAB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEDDAB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEDDAB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEDDAB939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEDDAB8A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEDDAB88F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEDDAB84D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEDDAB925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEDDAB911]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEDDAB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEDDAB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEDDAB7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEDDAB8E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEDDAB7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEDDAB7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [90, E6, ED] {NOP ; OUT 0xed, AL}
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EDDAB7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP EDDAB811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP EDDAB893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EDDAB78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EDDAB766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP EDDAB93D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP EDDAB8D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EDDAB714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EDDAB7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EDDAB7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EDDAB7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EDDAB750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EDDAB7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EDDAB728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP EDDAB901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP EDDAB8BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP EDDAB867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP EDDAB83B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EDDAB73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EDDAB77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP EDDAB8EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP EDDAB8A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP EDDAB851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP EDDAB915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP EDDAB929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F66
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F8B
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0065
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0054
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD009D
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F55
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD0F0E
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F29
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD00B8
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0FB2
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0076
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0025
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F3A
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A3007D
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30FCA
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30062
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A30047
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FA6
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20031
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FD2
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FC1
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[808] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F88
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F99
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0073
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0FB6
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FD1
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00BA
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C00A9
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C0F43
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00DC
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0F32
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0058
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0011
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0098
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C003D
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0022
.text C:\WINDOWS\System32\svchost.exe[820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C00CB
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B0F9E
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B002C
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B001B
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007B0FCA
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 88]
.text C:\WINDOWS\System32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B0047
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0027
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0F9C
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A0FD2
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0FB7
.text C:\WINDOWS\System32\svchost.exe[820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F70
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60F8B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60F9C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FB9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60040
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60F27
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F38
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60EEA
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E60EFB
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60ED9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60F55
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60025
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60F16
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50FB9
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E5006C
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E5000A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50051
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50025
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40049
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40038
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40FD2
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40027
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F59
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F6A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF004E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F91
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0FC0
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F2B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0073
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF00C4
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF009F
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00D5
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF003D
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F48
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FD1
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF008E
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE007D
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0022
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CE0062
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0031
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FA6
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FC1
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0016
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FDE
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F3F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F50
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F61
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70014
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70F8D
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C7006C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F24
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F02
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70091
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700B6
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70F72
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C7004F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70FA8
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C70F13
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60073
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60062
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60051
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50FCD
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50058
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50022
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C5003D
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50011
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F8D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0006C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000B8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C000A7
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F30
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000C9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F1F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0005B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F7C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00014
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F55
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0054
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0043
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FCD
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0022
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0033
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40042
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40F4D
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40F68
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40F83
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F17
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40069
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40095
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40084
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40EE1
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40F9E
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F32
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FB9
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40FCA
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D40F06
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D3002C
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D3006C
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D3005B
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30FAF
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30FC0
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20FC0
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20FDB
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D2003A
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D2004B
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D2001D
.text C:\WINDOWS\system32\svchost.exe[1336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D1000A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02050FEF
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02050F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02050F6B
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02050F7C
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02050F8D
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02050F9E
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02050F1D
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02050F2E
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02050ED6
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02050EF1
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02050EC5
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02050025
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02050000
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02050F49
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02050FB9
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02050FCA
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02050F02
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0193001B
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0193004A
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01930FCA
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01930FE5
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01930F8D
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01930000
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01930F9E
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 89] {MOV BL, 0x89}
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01930FB9
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01920FB9
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 01920FD4
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0192003A
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01920000
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01920FE5
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01920029
.text C:\WINDOWS\System32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01910FEF
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01900FEF
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01900014
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01900FDE
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01900025
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C006E
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F83
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C005D
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F94
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C002C
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0089
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0F41
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00B5
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00A4
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C00C6
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C001B
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0F5E
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C0FC0
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0FDB
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C0F26
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B002C
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B0F79
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B001B
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B0F94
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007B0FA5
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 88]
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B0FB6
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0F92
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0027
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0FB7
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\System32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00870FEF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0087005D
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00870F68
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00870040
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00870F83
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00870FA8
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00870F43
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0087007F
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00870F17
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008700A6
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00870F06
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00870025
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00870FDE
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0087006E
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00870014
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00870FC3
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00870F28
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00860FCA
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00860F9E
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0086001B
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00860051
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00860FE5
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00860FB9
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A6, 88]
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00860036
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0085003D
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00850FBC
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00850FD7
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00850000
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0085002C
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00850011
.text C:\WINDOWS\system32\svchost.exe[1788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0087
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F92
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0051
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC0F3F
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F50
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00D8
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC00BD
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0F24
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC006C
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0F77
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC002F
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC00A2
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB0025
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB0F83
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FD4
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0036
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AB0F9E
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 88]
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0FB5
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0FC6
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0022
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FD7
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0011
.text C:\WINDOWS\system32\svchost.exe[1860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A9000A
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01B10000
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01B10F4B
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01B10040
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01B10F66
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01B10F83
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01B10FAF
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01B10065
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01B10F1D
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01B10EF1
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01B10F02
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01B1009B
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01B10F94
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01B1001B
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01B10F3A
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01B10FC0
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01B10FDB
.text C:\WINDOWS\Explorer.exe[1868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01B10080
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A0002C
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A00076
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A0001B
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A0000A
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A00065
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A00FEF
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A00FB9
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 89]
.text C:\WINDOWS\Explorer.exe[1868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A00FCA
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019F0051
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!system 77C293C7 5 Bytes JMP 019F0FC6
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019F0FD7
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019F0000
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019F002C
.text C:\WINDOWS\Explorer.exe[1868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019F0011
.text C:\WINDOWS\Explorer.exe[1868] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 019D000A
.text C:\WINDOWS\Explorer.exe[1868] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 019D001B
.text C:\WINDOWS\Explorer.exe[1868] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 019D0036
.text C:\WINDOWS\Explorer.exe[1868] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 019D0047
.text C:\WINDOWS\Explorer.exe[1868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019E0FEF
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006E
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0053
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F79
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AB
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009A
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D7
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3E
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E8
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A007F
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\system32\svchost.exe[2780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00BC
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F8D
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F9E
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FB9
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\system32\svchost.exe[2780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290040
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F81
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0F9C
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FB7
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E000C
.text C:\WINDOWS\system32\svchost.exe[2780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\system32\svchost.exe[2780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----








Things seem to be moving an awful lot faster...so far so good...I haven't activacted the internet or anything like that yet, I'm not sure if that scan was positive or negative haha

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 08 November 2009 - 02:31 AM

Good job! GMER log is clean. Lets double-check things now with ESET.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Stylese

Stylese
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 09 November 2009 - 07:24 AM

I downloaded and scanned with ESET, but when the scan finished, there was no option for me to save a log of the scan so I just clicked finish. However, the scan came back clean with no infected files and no cleaned files...I have almost full operation of the laptop back to normal, except it's still a little jumpy...if that is because of damage from the virus, I could live with that becuase the laptop is functional again...I was thinking a Defrag might hep put things in order after all the cleaning we've done?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:55 PM

Posted 09 November 2009 - 08:20 AM

Hi Stylese, looks good :thumbsup: Please read the information below!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :inlove:

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :trumpet:.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users