Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with ave.exe ... please help. tnx.


  • Please log in to reply
15 replies to this topic

#1 krdavy

krdavy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 12 April 2010 - 12:14 AM

I left my laptop (Dell Inspiron E1505, 1.6 Ghz) on Friday night. I got an alert from McAfee Security wanting to know if I wanted to give sakxcn.exe access to the internet. I clicked no. The next day I got the same alert about ave.exe and clicked no. Since then, the ave.exe seems to be inside the machine popping up. I've run spybot search and destroy several times. I backed up mydocs files. What should I do next?

Edited by krdavy, 12 April 2010 - 12:44 AM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:47 PM

Posted 13 April 2010 - 08:05 AM

Scan for Spyware/Adware

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
  • (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
  • (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Please post the logs from Malwarebytes and Dr. Web when complete.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 13 April 2010 - 08:19 AM

Thank you for the reply. Unfortunately, I will be traveling sans laptop for the rest of the week so, I won't be able to go through this procedure until next week. K

#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:47 PM

Posted 13 April 2010 - 08:46 AM

OK. I will watch for any information posted to this topic.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 09:02 AM

I have been able to run the first two operations (the MBAM log is below). However, when I run the CureIt program, it stalls after examining about 3800 files. The reporting window does indicate the presence of BackDoor.Tdss.565 in a Firefox directory.
I am unable to continue to removal and am forced to exit the program and relaunch.

MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4010

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/19/2010 8:01:52 PM
mbam-log-2010-04-19 (20-01-52).txt

Scan type: Quick scan
Objects scanned: 143638
Time elapsed: 33 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:47 AM

Posted 20 April 2010 - 09:22 AM

Hello krdavy,

Since techextreme is unavaliable, I am taking over this topic. I hope you don't mind :thumbsup:

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure ONLY the Sections option is checked. Leave all other options unchecked.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 10:05 AM

BTW, thank you.

Here's the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-20 07:49:17
Windows 5.1.2600 Service Pack 3
Running: kpn06322.exe; Driver: C:\DOCUME~1\KENTDA~1\LOCALS~1\Temp\pwtdapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAEFBA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAEFBA821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAEFBA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAEFBA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAEFBA835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAEFBA861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAEFBA8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAEFBA8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAEFBA7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAEFBA8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAEFBA80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAEFBA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAEFBA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAEFBA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAEFBA937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAEFBA8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAEFBA88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAEFBA84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAEFBA923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAEFBA90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAEFBA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAEFBA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAEFBA877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAEFBA7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAEFBA8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAEFBA7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAEFBA7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A6BEAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:47 AM

Posted 20 April 2010 - 10:15 AM

Hi again,

Make sure ONLY the Sections option is checked. Leave all other options unchecked.

Sorry, but I really need to see the Sections log. Can you please rerun the scan as explained in the quote?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 10:16 AM

Sure. It ran automatically.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:47 AM

Posted 20 April 2010 - 10:18 AM

Yes, what you posted is the quick scan :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 10:19 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 08:18:56
Windows 5.1.2600 Service Pack 3
Running: kpn06322.exe; Driver: C:\DOCUME~1\KENTDA~1\LOCALS~1\Temp\pwtdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP B09167B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B091678E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B09167CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B09167E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B09167A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B0916714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B0916728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B0916766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B0916750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 2 Bytes JMP B091673C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess + 3 805D11FD 2 Bytes [34, 30] {XOR AL, 0x30}
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B091677A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B09167FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EE 7 Bytes JMP B0916891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3C 7 Bytes JMP B091687B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622066 7 Bytes JMP B09168E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622904 7 Bytes JMP B09168A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D8 7 Bytes JMP B091684F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B6 5 Bytes JMP B0916825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C46 7 Bytes JMP B0916839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E16 7 Bytes JMP B0916865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF6 7 Bytes JMP B09168D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624260 7 Bytes JMP B09168BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B88 5 Bytes JMP B0916811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAE 7 Bytes JMP B091693B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516E 5 Bytes JMP B0916913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80625862 5 Bytes JMP B0916927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8062597C 5 Bytes JMP B09168FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xBA252194]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F5F
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90054
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F70
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90014
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F1D
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F3A
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C9009B
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90080
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90EE7
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90065
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F02
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0F94
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E005B
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8E, 88]
.text C:\WINDOWS\system32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0FA3
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D002E
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D000C
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D001D
.text C:\WINDOWS\system32\svchost.exe[196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FD2
.text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\svchost.exe[196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30078
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3005D
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F83
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30F94
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30F57
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D3009F
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D300D5
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D30F3C
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300E6
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30F68
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FAF
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D300BA
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D2006C
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D2005B
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20FAF
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20040
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D1006E
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10038
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10049
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1001D
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0025
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0040
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01950FE5
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01950F64
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01950F7F
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01950F90
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01950FA1
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01950FC3
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01950F38
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0195007E
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 019500BD
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 019500AC
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019500D8
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01950FB2
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0195000A
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01950F53
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01950FD4
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01950025
.text C:\WINDOWS\Explorer.EXE[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0195009B
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0194001B
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01940F94
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01940FCA
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0194000A
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01940FA5
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01940FEF
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01940047
.text C:\WINDOWS\Explorer.EXE[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01940036
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01930042
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 01930FC1
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01930FD2
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01930FEF
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01930027
.text C:\WINDOWS\Explorer.EXE[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0193000C
.text C:\WINDOWS\Explorer.EXE[1164] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01910FEF
.text C:\WINDOWS\Explorer.EXE[1164] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01910FD4
.text C:\WINDOWS\Explorer.EXE[1164] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01910014
.text C:\WINDOWS\Explorer.EXE[1164] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01910025
.text C:\WINDOWS\Explorer.EXE[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01920FE5
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0080
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F81
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F9E
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F66
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00E7
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00CC
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F33
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0091
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F44
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006004C
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[1352] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1352] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1352] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1352] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0116000A
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01160FB6
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011600AB
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0116009A
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01160073
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01160047
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01160F8A
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01160F9B
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01160123
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01160112
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01160F79
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01160062
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01160FE5
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011600C6
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01160036
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01160025
.text C:\WINDOWS\system32\lsass.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011600ED
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01150036
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01150FC0
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01150FDB
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01150011
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01150073
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01150000
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01150062
.text C:\WINDOWS\system32\lsass.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01150051
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01140040
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 01140025
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01140000
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01140FE3
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01140FB5
.text C:\WINDOWS\system32\lsass.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01140FD2
.text C:\WINDOWS\system32\lsass.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01130FEF
.text C:\WINDOWS\system32\lsass.exe[1364] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01120FEF
.text C:\WINDOWS\system32\lsass.exe[1364] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01120FD4
.text C:\WINDOWS\system32\lsass.exe[1364] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01120FC3
.text C:\WINDOWS\system32\lsass.exe[1364] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01120FA8
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02630FE5
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02630F74
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02630069
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02630F91
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0263004E
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0263002C
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02630F35
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02630F52
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02630EFF
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02630098
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02630EEE
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0263003D
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02630FD4
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02630F63
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0263001B
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02630000
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02630F1A
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [09, 89]
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80FC6
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FE3
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FB5
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E60FB9
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01070FE5
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01070025
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01070F3A
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01070F57
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01070F68
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01070F94
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01070067
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0107004C
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010700AE
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01070093
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01070EF0
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01070F83
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01070F15
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01070FAF
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01070FD4
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01070078
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01060FAF
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01060F6F
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01060FC0
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01060FE5
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0106002C
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01060F94
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 89]
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01060011
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01050033
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!system 77C293C7 5 Bytes JMP 01050022
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01050FBC
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01050011
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\svchost.exe[1696] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1696] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1696] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[1696] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0033
.text C:\WINDOWS\system32\svchost.exe[1696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022D0FEF
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022D007A
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022D0F8F
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022D0069
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022D0FB6
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022D0047
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022D00B7
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022D009C
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022D00E3
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022D00D2
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022D00F4
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022D0058
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022D0014
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022D008B
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022D0036
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022D0025
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022D0F54
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 022C003D
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 022C0FA2
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 022C002C
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 022C001B
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 022C0FBD
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 022C0000
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 022C005F
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 022C004E
.text C:\WINDOWS\system32\svchost.exe[1760] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1760] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0196000A
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022B0066
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 022B0055
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022B0044
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022B0000
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022B0FE5
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022B0029
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0180000A
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01800FEF
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01800FD4
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01800FC3
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00930F26
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00930F37
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00930F68
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00930EE4
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00930EF5
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00930EAE
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00930EBF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00930E89
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00930F83
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920040
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920FB9
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920014
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0092006C
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0092005B
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910FB2
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910033
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FC3
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F7C
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90067
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A9004A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FA8
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900C4
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A900A7
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F46
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900D5
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A90F35
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A9002F
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A90096
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90014
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A90F57
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80069
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A80FDB
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A80058
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A80FB6
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A8003D
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0F92
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E001D
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FD2
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FAD
.text C:\WINDOWS\system32\svchost.exe[2016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\system32\svchost.exe[2016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006C0FDB
.text C:\WINDOWS\system32\svchost.exe[2016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\system32\svchost.exe[2016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[2016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F4B
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60F5C
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60036
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60F79
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60FAF
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60F1D
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60065
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60ECC
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E60EDD
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60080
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60F94
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60F3A
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60FC0
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60F02
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E50F94
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50051
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E50FAF
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [05, 89]
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FB7
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0042
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FC8
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0027
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E000C
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006C0014
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\system32\svchost.exe[2640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F97
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90FA8
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90FC3
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90080
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D900CE
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F7C
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D900F0
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900DF
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90F46
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90065
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D900A7
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[2692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90F6B
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E004E
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0011
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0F91
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E003D
.text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E002C
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0033
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FB2
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0FE3
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0022
.text C:\WINDOWS\system32\svchost.exe[2692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[2692] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2692] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[2692] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[2692] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006C002C
.text C:\WINDOWS\system32\SearchIndexer.exe[2972] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013C000C
.text C:\WINDOWS\system32\wuauclt.exe[3748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\wuauclt.exe[3748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\wuauclt.exe[3748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0028000C
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003D0055
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!system 77C293C7 5 Bytes JMP 003D0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003D0029
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003D003A
.text C:\WINDOWS\system32\wuauclt.exe[3748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003D000C
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003E0FD1
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003E0076
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003E002C
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003E0011
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003E0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003E0000
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 003E0047
.text C:\WINDOWS\system32\wuauclt.exe[3748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003E0FC0

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:47 AM

Posted 20 April 2010 - 10:23 AM

Hello again,

Unfortunately the news is not good. You are infected with a nasty rootkit.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


If you want to continue, let me know and I will move this topic to the appropriate forum and post further steps.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 11:45 AM

Better be safe than sorry, so I will reformat the drive. Can you tell me about handling my backup files (my docs and my outlook file and archive) ... are there extra precautions that should be taken?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:47 AM

Posted 20 April 2010 - 12:14 PM

Hello again,
This is indeed the safest practice. You can back up files relatively easy with this infection. Make sure to back up only known fiiles (documents, pictures, and so on). When saving mails, make sure there are no mails with unknown/suspicious attachments backed up.

Do not just back up your userprofile folder, because this may still contain leftovers from the rogue antivirus infection. You can look through your My Documents folder however and back that up if it doesn't contain unknown/suspicious files.

You can always scan a folder with MBAM (right click on the folder and select scan with Malwrebytes) to check in case you are not sure.

Please let me know if this answers your questions :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 April 2010 - 12:17 PM

I think so. Thank you for your help. Is there something here that I could do to pay this good deed forward? K




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users