Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Atapi rootkit infection, google redirecting etc'.. GMER log included, HELP please?


  • This topic is locked This topic is locked
28 replies to this topic

#1 Roooose

Roooose

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 08:08 AM

Google was redirecting, but I updated to ie8 and that stopped the redirecting, however firefox still redirects. I get pop ups once everyone while on IE8 from the same websites I was redirected to.

Here is my GMER log-


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2010-04-18 14:06:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwnyafod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA6EA457B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA6EA44FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA6EA450F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA6EA453B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA6EA45CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA6EA44E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA6EA458F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA6EA4525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA6EA4551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA6EA4567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA6EA45E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA6EA45B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8AF7EAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Now, as for tdsskiller, it picks up atapi.sys but doesn't give me the option to delete, NO free antiviruses/malware/spyware picks it up and its slowing my laptop down alot.

PLEASE help!

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 08:11 AM

Hello Roooose,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
We need a little more information before we can proceed with cleaning your machine. Please do the following:

    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Edited by Orange Blossom, 18 April 2010 - 08:20 AM.
Correct name. ~ OB

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 08:19 AM

How long does this scan usually take?
I'm running it right now smile.gif thankyou for the quick reply.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 08:28 AM

Hello,

QUOTE
How long does this scan usually take?

Depends on how much you have on your machine. whistling.gif Usually not to long!


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 08:28 AM

Both logs are attached smile.gif

Attached Files



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 08:38 AM

Hello,

Let's try the easy way first to fix this.

1.
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :files
    C:\WINDOWS\System32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

2.
    1. Double click on the icon on your desktop.
    2. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    3. Push the Quick Scan button.
    4. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Things to include in your next reply:
OTL fix log
A new OTL scan no need for Extra.txt this time
How is your machine running now still getting popups and redirects?

Edited by fireman4it, 18 April 2010 - 08:42 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 08:45 AM

========== FILES ==========
File C:\WINDOWS\System32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys

OTL by OldTimer - Version 3.2.1.2 log created on 04182010_144113

It didn't ask me to reboot..is there something wrong with that?

I'll reinstall firefox and see if it redirects, and get back to you smile.gif

Also Im running the OTL scan again right now, I'll post that as soon as its finished.

#8 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 08:57 AM

It doesn't appear to be redirecting in firefox anymore :) after restarting and all. I'll see what happens pop-up wise since they're kinda unpredictable timing.

Edited by Roooose, 18 April 2010 - 09:29 AM.


#9 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 09:31 AM

Edit: It IS redirecting now. suddenly. D:

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 09:49 AM

Hello,

We need another Gmer log along with a new OTL log

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 10:37 AM

Attached File  OTL.Txt   100.5KB   7 downloads

Bleeping computer sometimes refuses to send.. as in my browser will say theres a problem with my connection.. could this be a side effect?

I'll attach the new OTL log.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 10:45 AM

Hello,


I dont understand why you reinstalled Firefox in the middle of a fix.
Any further changes to your computer before it is all clean made by you shall halt any help from myself.
Refer to my opening post about not making any changes.
Please copy and past your OTL logs directly into your reply.
Are you still getting redirects and popups?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 10:53 AM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-04-18 16:51:33
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwnyafod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwClose [0xA8340370]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateProcess [0xA8340250]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateProcessEx [0xA83402E0]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateSection [0xA83401D0]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateThread [0xA83403E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA6FDA57B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA6FDA4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA6FDA50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA6FDA53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA6FDA5CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA6FDA4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA6FDA58F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA6FDA525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA6FDA551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA6FDA567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA6FDA5E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA6FDA5B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP A6FDA5BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP A6FDA57F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP A6FDA5D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP A6FDA5E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP A6FDA593 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP A6FDA56B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP A6FDA555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP A6FDA529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP A6FDA4FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP A6FDA513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP A6FDA53F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP A6FDA4EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\Drivers\FireTDI.sys entry point in "init" section [0xA8345130]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xBA2D2E34]
? system32\drivers\klmd.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC009A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0089
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0FAF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0062
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0036
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC00D0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F8A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00EB
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F52
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0F2D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0047
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC00B5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F63
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0014
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0F72
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FC3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0F83
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0025
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0F9E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0038
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FAD
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0027
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FD2
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C000C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006A0FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006A0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006A0FCA
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[488] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006A001B
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F52
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F6D
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80F94
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80069
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80F21
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80EDA
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80EF5
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80EBF
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F06
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70FD1
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70073
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70062
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F7, 88]
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D7003D
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50070
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5005F
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50029
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50044
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D5000C
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D30FCD
.text C:\WINDOWS\system32\svchost.exe[596] Ws2_32.dll!socket 71AB4211 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C00A2
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0FAD
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FBE
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0087
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C006C
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F64
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F81
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F27
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F38
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00D1
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F92
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C005B
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0036
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F49
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00400049
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00400FBE
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00400FD9
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00400000
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0040002E
.text C:\WINDOWS\system32\svchost.exe[616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00400011
.text C:\WINDOWS\system32\svchost.exe[616] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[616] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00780011
.text C:\WINDOWS\system32\svchost.exe[616] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00780022
.text C:\WINDOWS\system32\svchost.exe[616] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00780033
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F9C
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0076
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00DD
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00B6
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00FF
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F70
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F4B
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F8B
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00EE
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006004E
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060018
.text C:\WINDOWS\system32\services.exe[944] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[944] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\services.exe[944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[944] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30048
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D30F5D
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F6E
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30F7F
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30FAB
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30091
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30080
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D300C7
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300B6
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D30F1D
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30F90
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30063
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FBC
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30FCD
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F38
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D1005B
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10040
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00031
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FA6
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FC1
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00016
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FD2
.text C:\WINDOWS\system32\lsass.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\lsass.exe[956] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[956] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\lsass.exe[956] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\lsass.exe[956] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0090
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0075
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0064
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F9B
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0036
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA00C1
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F6F
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0F4D
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA00DC
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0101
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0047
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F80
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FCA
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F5E
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FCA
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90F94
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F9, 88]
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D9002C
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FC1
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D8004C
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80FE3
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FD2
.text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D8001D
.text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D60022
.text C:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED005F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F74
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED004E
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED003D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED002C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED007A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0F32
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0EF2
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED008B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED00A6
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0F9B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0F4F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0011
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED0F0D
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0FA5
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB005A
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0049
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB001D
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB002E
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E90014
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0000
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D10FEF
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D10F55
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D10F66
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D10F83
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D10F94
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D10025
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D1005B
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D10F13
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D10EDD
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D10EF8
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D10091
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D10040
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D10FD4
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D10F3A
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D10FB9
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D10014
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D1006C
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D00FC3
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D00F9E
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D0000A
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D00FD4
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D0005B
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D00FE5
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D0004A
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D0002F
.text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 026D000A
.text C:\WINDOWS\System32\svchost.exe[1268] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 025C000A
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CF0F89
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CF0014
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CF0FB5
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CF0FE3
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CF0F9A
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CF0FD2
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02970FEF
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02970FD4
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0297000A
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0297001B
.text C:\WINDOWS\System32\svchost.exe[1268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02980000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A0005D
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F68
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F79
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F30
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F41
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000BF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000A4
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00F0B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A0006E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FC0
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00089
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0058
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0047
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0077
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0066
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E003A
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0055
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0029
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C400BF
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C400AE
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40093
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40051
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40112
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400EB
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F79
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F94
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40F68
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C4006C
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C400DA
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C4002F
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40FA5
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F94
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30011
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FDB
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30051
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FB9
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FBC
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20047
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20011
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C2002C
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FE3
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\svchost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BA000C
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0025
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F68
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F8D
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0038
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FAD
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FC8
.text C:\WINDOWS\Explorer.EXE[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB009D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0078
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0040
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB00D0
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB00BF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB010D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00FC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB0F4F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB00AE
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB00EB
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F72
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC002F
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F8D
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC001E
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FAB
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FD2
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0073
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0062
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F7E
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0047
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F41
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F5C
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F26
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00BF
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F15
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0036
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0014
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F6D
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00A4
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008F0F8A
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008F000A
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008F0F9B
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008F003D
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008F002C
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008E007A
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 008E005F
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008E0033
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008E004E
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008E000C
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 008C0FC0
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 008C0FA5
.text C:\WINDOWS\system32\svchost.exe[1896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008D0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03990000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03990084
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03990073
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03990F8F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03990058
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03990FBD
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03990F5E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 039900B0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03990F3C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03990F4D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03990F2B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03990FAC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03990011
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03990095
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03990033
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03990022
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 039900CB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03980F9E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0398002F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03980FB9
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03980FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0398001E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03980FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03980F7C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 8B]
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03980F8D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0397003D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 03970FB2
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03970018
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03970FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03970FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03970FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03960FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03120FE5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0312000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03120FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2012] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03120FAF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)

Device \Driver\atapi \Device\Ide\IdePort0 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdePort1 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)

Device \Driver\BTHUSB \Device\00000096 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)

Device \Driver\klmd21 \Device\KLMD202000 klmd.sys
Device \Driver\BTHUSB \Device\00000098 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8AF50AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00164176055c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00164176055c (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164176055c
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore@Count 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore@Blocked 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49B4-9D64-90988571CECB}\iexplore@Count 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CA3D70E-1895-11CF-8E15-001234567890}\iexplore@Count 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CA3D70E-1895-11CF-8E15-001234567890}\iexplore@Blocked 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore@Count 92
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore@Blocked 92

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


I apologise for not remembering to not install/delete files without your say-so.
I'll post my OTL log in a second.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 18 April 2010 - 11:01 AM

Hello,

Ok now we have to try the more difficult removal.

Print out these instructions to use while in the Recovery Console: (This is for XP only)

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

cd c:\windows\system32\drivers
ren atapi.sys atapi.old
copy C:\windows\ServicePackFiles\i386\atapi.sys c:\windows\system32\drivers
exit


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
(if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
ren atapi.old atapi.sys
you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

6. Type exit and press 'Enter'. Your computer should reboot.

2.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running?
Any more redirects or popups?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Roooose

Roooose
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:12:46 AM

Posted 18 April 2010 - 11:32 AM

Step 2 is where it isnt working- although combofix is on my desktop it says "windows cannot find combofix"..?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users