Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google re-directs & pop-ups, DSS LOg & GMER


  • This topic is locked This topic is locked
11 replies to this topic

#1 GEA@Eaton

GEA@Eaton

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 11 May 2010 - 08:33 AM

OK - here are my new DSS logs and GMER log from yesterday - as instructed. Referred from here: http://www.bleepingcomputer.com/forums/t/315341/yet-another-google-re-direct-issue/ ~ OB I ran Combofix last week but I can't seem to find the log that was generated - if you can point me in the right direction (file name or default location) I will post it - I am not inclined to run Combofix again without some supervision - not pleasant the first time.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Gary at 8:49:48.79 on Tue 05/11/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Business 6.0.6001.1.1252.1.1033.18.3070.1954 [GMT -4:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
SP: Total Protection Service *enabled* (Updated) {DEBE977C-6A5A-49CC-937A-9E8BB3202260}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32rundll32.exe
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32AERTSrv.exe
C:Windowssystem32svchost.exe -k bthsvcs
C:Program FilesMcAfeeManaged VirusScanVScanEngineServer.exe
C:PROGRA~1McAfeeMANAGE~1VScanMcShield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeManaged VirusScanAgentmyAgtSvc.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCyberPower PowerPanel Personal Editionppped.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
C:Windowssystem32WUDFHost.exe
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:WindowsRtHDVCpl.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesMcAfeeManaged VirusScanDesktopUIXTray.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WindowsWindowsMobilewmdc.exe
C:Program FilesCommon Filesmicrosoft sharedWorks SharedWkUFind.exe
C:Windowssystem32svchost.exe -k WindowsMobile
C:Program FilesScanSoftPaperPortpptd40nt.exe
C:Program FilesBrotherBrmfcmonBrMfcWnd.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WindowsSystem32mobsync.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Program FilesBrotherBrmfcmonBrMfimon.exe
C:Windowssystem32taskeng.exe
C:WindowsservicingTrustedInstaller.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesWindows LiveToolbarwltuser.exe
C:Windowssystem32wbemwmiprvse.exe
C:WindowsSystem32wscript.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
EATON-SERVERRedirectedFoldersgaryDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:program filesrealrealplayerrpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeemanaged virusscanvscanScriptSn.20100413085956.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:program fileswindows livetoolbarwltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:program fileswindows livetoolbarwltcore.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [IAAnotif] c:program filesintelintel matrix storage manageriaanotif.exe
mRun: [dscactivate] "c:program filesdell support centergs_agentcustomdsca.exe"
mRun: [MVS Splash] "c:program filesmcafeemanaged virusscandesktopuiXTray.exe" /LOGON
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:program filesdell support centerbinsprtcmd.exe" /P DellSupportCenter
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [Windows Mobile Device Center] %windir%WindowsMobilewmdc.exe
mRun: [Microsoft Works Update Detection] c:program filescommon filesmicrosoft sharedworks sharedWkUFind.exe
mRun: [SSBkgdUpdate] "c:program filescommon filesscansoft sharedssbkgdupdateSSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:program filesscansoftpaperportpptd40nt.exe"
mRun: [PPort11reminder] "c:program filesscansoftpaperporteregereg.exe" -r "c:programdatascansoftpaperport11configeregEreg.ini"
mRun: [BrMfcWnd] c:program filesbrotherbrmfcmonBrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:program filesbrothercontrolcenter3brctrcen.exe /autorun
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
dRun: [Khide] rundll32.exe "c:windowssystem32configsystemprofileappdatalocalidms09.dll",Startup
StartupFolder: c:usersgaryappdataroamingmicros~1windowsstartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1mi1933~1office12EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1mi1933~1office12ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:windowswindowsmobileINetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:windowswindowsmobileINetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1mi1933~1office12REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com*
Trusted Zone: mcafeeasap.combetavscan
Trusted Zone: mcafeeasap.comvs
Trusted Zone: mcafeeasap.comwww
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:program filesmcafeemanaged virusscanagentMyRmProt5.0.0.768.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2009-6-5 214664]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-6 68168]
R2 AERTFilters;Andrea RT Filters Service;c:windowssystem32AERTSrv.exe [2009-6-6 81920]
R2 EngineServer;EngineServer;c:program filesmcafeemanaged virusscanvscanEngineServer.exe [2009-6-5 14144]
R2 McShield;McShield;c:progra~1mcafeemanage~1vscanMcShield.exe [2009-6-5 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:program filesmcafeemanaged virusscanagentmyAgtSvc.exe [2010-4-13 282824]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:windowssystem32driversRtNdPt60.sys [2009-6-5 27648]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:windowssystem32driversmfeavfk.sys [2009-6-5 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:windowssystem32driversmfebopk.sys [2009-6-5 35272]
S2 DnscacheSamSs;DNS Client DnscacheSamSs;c:windowssystem32acluiz.exe srv --> c:windowssystem32acluiz.exe srv [?]
S2 PcaSvcwscsvc;Program Compatibility Assistant Service PcaSvcwscsvc;c:windowssystem32advapi32l.exe srv --> c:windowssystem32advapi32l.exe srv [?]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:windowssystem32driversmferkdk.sys [2009-6-5 34248]

=============== Created Last 30 ================

2010-05-11 12:46:56 0 ----a-w- c:usersgarydefogger_reenable
2010-05-10 21:26:17 280259798 ----a-w- c:windowsMEMORY.DMP
2010-05-10 16:08:30 0 d-----w- c:program filesESET
2010-05-07 18:26:13 0 d-----w- c:programdataSUPERAntiSpyware.com
2010-05-07 18:26:03 0 d-----w- c:usersgaryappdataroamingSUPERAntiSpyware.com
2010-05-07 18:26:03 0 d-----w- c:program filesSUPERAntiSpyware
2010-05-07 18:09:53 0 d-----w- c:usersgaryappdataroamingMalwarebytes
2010-05-07 18:09:35 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-05-07 18:09:34 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-05-07 18:09:34 0 d-----w- c:programdataMalwarebytes
2010-05-07 18:09:33 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-04 21:53:18 0 d-sh--w- C:$RECYCLE.BIN
2010-05-04 21:53:05 280 --s-a-w- c:windowssystem32557932707.dat
2010-05-04 21:36:00 98816 ----a-w- c:windowssed.exe
2010-05-04 21:36:00 77312 ----a-w- c:windowsMBR.exe
2010-05-04 21:36:00 256512 ----a-w- c:windowsPEV.exe
2010-05-04 21:36:00 161792 ----a-w- c:windowsSWREG.exe
2010-04-15 12:47:27 105984 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-15 12:47:26 212992 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-15 12:47:24 78848 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-15 12:47:09 3600776 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-15 12:47:08 3548560 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-15 12:46:56 430080 ----a-w- c:windowssystem32vbscript.dll
2010-04-15 12:46:22 171520 ----a-w- c:windowssystem32wintrust.dll
2010-04-15 12:46:17 62464 ----a-w- c:windowssystem32l3codeca.acm
2010-04-15 12:45:58 25088 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-15 12:45:58 190464 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-15 12:45:54 898952 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-15 12:45:48 98304 ----a-w- c:windowssystem32cabview.dll

==================== Find3M ====================

2010-03-09 16:28:40 833024 ----a-w- c:windowssystem32wininet.dll
2010-03-09 16:25:21 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-09 14:01:47 26624 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-24 14:16:06 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-20 23:39:35 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:windowssystem32httpapi.dll
2010-01-19 21:56:06 86016 ----a-w- c:windowsinfinfstor.dat
2010-01-19 21:56:06 51200 ----a-w- c:windowsinfinfpub.dat
2010-01-19 21:56:06 143360 ----a-w- c:windowsinfinfstrng.dat
2009-06-06 06:44:53 665600 ----a-w- c:windowsinfdrvindex.dat
2008-01-21 02:43:58 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2001-08-22 18:15:48 245760 ----a-w- c:windowsinfi386viceo.dll
2001-08-22 18:13:38 32768 ----a-w- c:windowsinfi386Pmicro.dll
2001-08-22 18:13:30 61440 ----a-w- c:windowsinfi386gl.dll
2001-08-03 23:29:18 13824 ----a-w- c:windowsinfi386Usbscan.sys
2006-05-03 10:06:54 163328 --sh--r- c:windowssystem32flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:windowssystem32msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:windowssystem32nbDX.dll
2009-08-23 19:37:45 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012009082320090824index.dat
2009-09-18 13:08:58 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012009091820090919index.dat
2009-10-26 12:53:29 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012009102620091027index.dat
2009-06-06 06:35:38 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 8:50:39.04 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vistaâ„¢ Business
Boot Device: DeviceHarddiskVolume3
Install Date: 6/5/2009 6:50:58 PM
System Uptime: 5/11/2010 8:36:13 AM (0 hours ago)

Motherboard: Dell Inc. | | 0N185P
Processor: Intel® Core™2 Quad CPU Q9400 @ 2.66GHz | Socket 775 | 1995/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 209.833 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.33 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
Z: is NetworkDisk (NTFS) - 699 GiB total, 565.59 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

42 Bit Scanner
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Brother HL-4040CN
Brother MFL-Pro Suite
Business Tools Launcher
Choice Guard
CyberPower PowerPanel Personal Edition 1.2.2
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center (Support Software)
ESET Online Scanner v3
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Matrix Storage Manager
Java™ 6 Update 11
Junk Mail filter update
Label Magic
Malwarebytes' Anti-Malware
McAfee Firewall Protection Service
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Digital Image Pro 9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
NVIDIA PhysX v8.10.06
PaperPort Image Printer
Personal Entertainment Launcher
Pervasive PSQL v10.10 Client (32-bit)
PowerDVD DX
Product Support Launcher
RealPlayer
Realtek Ethernet Network Card Diagnostic tool for Windows Vista
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Sonic CinePlayer Decoder Pack
SUPER © Version 2010.bld.37 (Jan 2, 2010)
SUPERAntiSpyware Free Edition
TaxACT 2009
TaxACT 2009 New York
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Visual C++ 8.0 x86 Runtime Setup Package
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
Windows Small Business Server 2008 ClientAgent
Windows Small Business Server 2008 Desktop Links Gadget
Windows Small Business Server 2008 WMI Provider

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 18:59:27
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:UsersgaryAppDataLocalTempuwlciuog.sys


---- System - GMER 1.0.15 ----

Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F41E79E]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F41E738]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F41E74C]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F41E7DC]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F41E710]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F41E724]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F41E7B2]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F41E78A]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F41E776]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F41E80B]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F41E7F2]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F41E7C8]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F41E762]
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81C5B1F0 5 Bytes JMP 8F41E7CC SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81DFDF40 5 Bytes JMP 8F41E766 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 81E180F6 5 Bytes JMP 8F41E80F SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 81E37380 5 Bytes JMP 8F41E728 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 81E46D0B 5 Bytes JMP 8F41E714 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 81E5996C 7 Bytes JMP 8F41E7E0 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 81E59FC3 5 Bytes JMP 8F41E7F6 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 81E5C1D4 5 Bytes JMP 8F41E7A2 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 81E69892 5 Bytes JMP 8F41E77A SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 81E6BAEC 7 Bytes JMP 8F41E7B6 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 81EC97B7 5 Bytes JMP 8F41E73C SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EC9802 7 Bytes JMP 8F41E750 SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 81ECA2BF 5 Bytes JMP 8F41E78E SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:Windowssystem32driverspci.sys entry point in ".rsrc" section [0x8070B014]
.text C:Windowssystem32DRIVERSnvlddmkm.sys section is writeable [0x8EA01340, 0x3CFE17, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:Windowssystem32svchost.exe[444] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00740F48
.text C:Windowssystem32svchost.exe[444] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00740098
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 007400D5
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 007400C4
.text C:Windowssystem32svchost.exe[444] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 0074007D
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00740FCA
.text C:Windowssystem32svchost.exe[444] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 0074006C
.text C:Windowssystem32svchost.exe[444] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 0074005B
.text C:Windowssystem32svchost.exe[444] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00740F92
.text C:Windowssystem32svchost.exe[444] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00740FAF
.text C:Windowssystem32svchost.exe[444] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00740036
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00740F6D
.text C:Windowssystem32svchost.exe[444] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00740F23
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00740000
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00740FE5
.text C:Windowssystem32svchost.exe[444] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 0074001B
.text C:Windowssystem32svchost.exe[444] kernel32.dll!WinExec 769154FF 5 Bytes JMP 007400A9
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 006E0FD4
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!system 76828B63 5 Bytes JMP 006E0055
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 006E0029
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 006E000C
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 006E003A
.text C:Windowssystem32svchost.exe[444] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 006E0FEF
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020058
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0002002C
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020047
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020073
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FD4
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00020FE5
.text C:Windowssystem32svchost.exe[444] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0002001B
.text C:Windowssystem32svchost.exe[444] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00750FEF
.text C:Windowssystem32svchost.exe[444] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 0075001B
.text C:Windowssystem32svchost.exe[444] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0075000A
.text C:Windowssystem32svchost.exe[444] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00750FCA
.text C:Windowssystem32svchost.exe[444] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0097000A
.text C:Windowssystem32svchost.exe[568] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00B60F57
.text C:Windowssystem32svchost.exe[568] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00B60F72
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00B600C2
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00B60F2B
.text C:Windowssystem32svchost.exe[568] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00B60093
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00B60FB9
.text C:Windowssystem32svchost.exe[568] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00B60076
.text C:Windowssystem32svchost.exe[568] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00B60040
.text C:Windowssystem32svchost.exe[568] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00B60F9E
.text C:Windowssystem32svchost.exe[568] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00B6005B
.text C:Windowssystem32svchost.exe[568] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00B6002F
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00B60F8D
.text C:Windowssystem32svchost.exe[568] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00B600D3
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00B6000A
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00B60FEF
.text C:Windowssystem32svchost.exe[568] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00B60FD4
.text C:Windowssystem32svchost.exe[568] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00B60F46
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00B10027
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!system 76828B63 5 Bytes JMP 00B10016
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00B10FC1
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00B10FEF
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00B10FA6
.text C:Windowssystem32svchost.exe[568] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00B10FD2
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00AE0FAF
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00AE0FCA
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00AE0000
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00AE0051
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00AE0F9E
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00AE0FE5
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00AE001B
.text C:Windowssystem32svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00AE0036
.text C:Windowssystem32svchost.exe[568] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00B70000
.text C:Windowssystem32svchost.exe[568] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00B70022
.text C:Windowssystem32svchost.exe[568] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00B70011
.text C:Windowssystem32svchost.exe[568] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00B7003D
.text C:Windowssystem32svchost.exe[568] Ws2_32.dll!socket 77D236D1 5 Bytes JMP 00B80FEF
.text C:Windowssystem32services.exe[668] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 008A0F4F
.text C:Windowssystem32services.exe[668] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 008A0F6A
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008A0F34
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 008A00C1
.text C:Windowssystem32services.exe[668] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 008A0084
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 008A0FD4
.text C:Windowssystem32services.exe[668] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 008A0073
.text C:Windowssystem32services.exe[668] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 008A0051
.text C:Windowssystem32services.exe[668] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 008A0095
.text C:Windowssystem32services.exe[668] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 008A0062
.text C:Windowssystem32services.exe[668] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 008A0036
.text C:Windowssystem32services.exe[668] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 008A0F85
.text C:Windowssystem32services.exe[668] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 008A00E6
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 008A000A
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 008A0FEF
.text C:Windowssystem32services.exe[668] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 008A0025
.text C:Windowssystem32services.exe[668] kernel32.dll!WinExec 769154FF 5 Bytes JMP 008A00B0
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 0084006F
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0084004A
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00840FEF
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00840FC3
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00840FB2
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00840014
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00840FDE
.text C:Windowssystem32services.exe[668] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0084002F
.text C:Windowssystem32services.exe[668] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00890047
.text C:Windowssystem32services.exe[668] msvcrt.dll!system 76828B63 5 Bytes JMP 00890036
.text C:Windowssystem32services.exe[668] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00890FC6
.text C:Windowssystem32services.exe[668] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00890000
.text C:Windowssystem32services.exe[668] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 0089001B
.text C:Windowssystem32services.exe[668] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00890FD7
.text C:Windowssystem32services.exe[668] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A00000
.text C:Windowssystem32services.exe[668] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A00FD4
.text C:Windowssystem32services.exe[668] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A00FE5
.text C:Windowssystem32services.exe[668] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A00FB9
.text C:Windowssystem32services.exe[668] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00A10FE5
.text C:Windowssystem32lsass.exe[692] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 0017008A
.text C:Windowssystem32lsass.exe[692] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00170F4E
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001700C7
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001700B6
.text C:Windowssystem32lsass.exe[692] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00170F7A
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 0017002F
.text C:Windowssystem32lsass.exe[692] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 0017005E
.text C:Windowssystem32lsass.exe[692] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00170FB2
.text C:Windowssystem32lsass.exe[692] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 0017006F
.text C:Windowssystem32lsass.exe[692] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00170FA1
.text C:Windowssystem32lsass.exe[692] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00170FC3
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00170F5F
.text C:Windowssystem32lsass.exe[692] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00170F15
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 0017000A
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00170FEF
.text C:Windowssystem32lsass.exe[692] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00170FDE
.text C:Windowssystem32lsass.exe[692] kernel32.dll!WinExec 769154FF 5 Bytes JMP 0017009B
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00150073
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00150FD1
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 0015000A
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00150062
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 0015008E
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 0015002C
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0015001B
.text C:Windowssystem32lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0015003D
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00160042
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!system 76828B63 5 Bytes JMP 00160FAD
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00160FC8
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00160FEF
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 0016001D
.text C:Windowssystem32lsass.exe[692] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 0016000C
.text C:Windowssystem32lsass.exe[692] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00C90FEF
.text C:Windowssystem32lsass.exe[692] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00C80FE5
.text C:Windowssystem32lsass.exe[692] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00C80000
.text C:Windowssystem32lsass.exe[692] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00C80FD4
.text C:Windowssystem32lsass.exe[692] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00C8001B
.text C:Windowssystem32svchost.exe[848] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00CE007D
.text C:Windowssystem32svchost.exe[848] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00CE006C
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00CE00BD
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00CE00A2
.text C:Windowssystem32svchost.exe[848] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00CE0040
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00CE0FB9
.text C:Windowssystem32svchost.exe[848] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00CE0F66
.text C:Windowssystem32svchost.exe[848] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00CE0025
.text C:Windowssystem32svchost.exe[848] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00CE0F4B
.text C:Windowssystem32svchost.exe[848] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00CE0F83
.text C:Windowssystem32svchost.exe[848] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00CE0FA8
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00CE005B
.text C:Windowssystem32svchost.exe[848] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00CE00CE
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00CE0FD4
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00CE0FE5
.text C:Windowssystem32svchost.exe[848] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00CE000A
.text C:Windowssystem32svchost.exe[848] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00CE0F26
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00CD0055
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!system 76828B63 5 Bytes JMP 00CD0044
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00CD0FD4
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00CD0FEF
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00CD0033
.text C:Windowssystem32svchost.exe[848] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00CD0018
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00CC0F7C
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00CC0014
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00CC0FEF
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00CC0F8D
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00CC0F61
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00CC0FB9
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00CC0FCA
.text C:Windowssystem32svchost.exe[848] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00CC0FA8
.text C:Windowssystem32svchost.exe[848] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00D80FEF
.text C:Windowssystem32svchost.exe[848] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00D8000A
.text C:Windowssystem32svchost.exe[848] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00D80FD4
.text C:Windowssystem32svchost.exe[848] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00D80FB9
.text C:Windowssystem32svchost.exe[848] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00DD0FE5
.text C:Windowssystem32svchost.exe[956] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00D20F5D
.text C:Windowssystem32svchost.exe[956] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00D20099
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00D20F31
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00D20F4C
.text C:Windowssystem32svchost.exe[956] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00D20F7F
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00D20FBC
.text C:Windowssystem32svchost.exe[956] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00D2004D
.text C:Windowssystem32svchost.exe[956] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00D20032
.text C:Windowssystem32svchost.exe[956] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00D20074
.text C:Windowssystem32svchost.exe[956] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00D20F90
.text C:Windowssystem32svchost.exe[956] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00D20FAB
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00D20F6E
.text C:Windowssystem32svchost.exe[956] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00D200E3
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00D20FDE
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00D20FEF
.text C:Windowssystem32svchost.exe[956] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00D20FCD
.text C:Windowssystem32svchost.exe[956] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00D200BE
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00D10F97
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!system 76828B63 5 Bytes JMP 00D10FB2
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00D10FDE
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00D10000
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00D10FC3
.text C:Windowssystem32svchost.exe[956] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00D10FEF
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00CC0062
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00CC0FCA
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00CC0FEF
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00CC0051
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00CC0FA5
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00CC0025
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00CC000A
.text C:Windowssystem32svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00CC0036
.text C:Windowssystem32svchost.exe[956] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00D3000A
.text C:Windowssystem32svchost.exe[956] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00D3002C
.text C:Windowssystem32svchost.exe[956] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00D3001B
.text C:Windowssystem32svchost.exe[956] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00D30051
.text C:Windowssystem32svchost.exe[956] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00D80000
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 008E0F17
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 008E0F28
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008E00A4
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 008E0093
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 008E0F5E
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 008E0025
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 008E0F79
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 008E0036
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 008E005D
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 008E0F8A
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 008E0FAF
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 008E0F4D
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 008E00BF
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 008E0FE5
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 008E0000
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 008E0FD4
.text C:WindowsSystem32svchost.exe[1056] kernel32.dll!WinExec 769154FF 5 Bytes JMP 008E0078
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 008D0FA6
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!system 76828B63 5 Bytes JMP 008D0027
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 008D000C
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 008D0FE3
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 008D0FB7
.text C:WindowsSystem32svchost.exe[1056] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 008D0FD2
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00860F6B
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00860F8D
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00860FEF
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00860F7C
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 0086001E
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00860FC3
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00860FDE
.text C:WindowsSystem32svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00860FA8
.text C:WindowsSystem32svchost.exe[1056] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 009F000A
.text C:WindowsSystem32svchost.exe[1056] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 009F002F
.text C:WindowsSystem32svchost.exe[1056] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 009F0FEF
.text C:WindowsSystem32svchost.exe[1056] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 009F0FDE
.text C:WindowsSystem32svchost.exe[1056] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00C00000
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00C30F4D
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00C30F5E
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00C30F1E
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00C300B5
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00C30FA5
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00C30036
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00C30FB6
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00C30062
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00C30F8A
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00C30073
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00C30051
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00C30F6F
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00C30F0D
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00C30011
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00C30000
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00C30FE5
.text C:WindowsSystem32svchost.exe[1124] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00C300A4
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00AD005F
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!system 76828B63 5 Bytes JMP 00AD004E
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00AD0FDE
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00AD0000
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00AD0029
.text C:WindowsSystem32svchost.exe[1124] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00AD0FEF
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00A80058
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00A80036
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00A80FEF
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00A80047
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00A80FA5
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00A8000A
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00A80FDE
.text C:WindowsSystem32svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00A80025
.text C:WindowsSystem32svchost.exe[1124] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00C90FE5
.text C:WindowsSystem32svchost.exe[1124] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00C90FC0
.text C:WindowsSystem32svchost.exe[1124] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00C90000
.text C:WindowsSystem32svchost.exe[1124] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00C90011
.text C:WindowsSystem32svchost.exe[1124] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00CA0000
.text C:Windowssystem32svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 0078000A
.text C:Windowssystem32svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0091000A
.text C:Windowssystem32svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 0077000A
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 011F00A2
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 011F0087
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 011F00D5
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 011F00C4
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 011F0F88
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 011F0047
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 011F0FA3
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 011F0FCA
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 011F0F77
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 011F006C
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 011F0FDB
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 011F0F5C
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 011F0F23
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 011F0025
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 011F0000
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 011F0036
.text C:Windowssystem32svchost.exe[1184] kernel32.dll!WinExec 769154FF 5 Bytes JMP 011F00B3
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 011E003F
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!system 76828B63 5 Bytes JMP 011E002E
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 011E001D
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 011E000C
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 011E0FBE
.text C:Windowssystem32svchost.exe[1184] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 011E0FE3
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 011D0051
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 011D0040
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 011D0FEF
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 011D0FAF
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 011D0F94
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 011D0FD4
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 011D000A
.text C:Windowssystem32svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 011D002F
.text C:Windowssystem32svchost.exe[1184] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01440FEF
.text C:Windowssystem32svchost.exe[1184] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01440FD4
.text C:Windowssystem32svchost.exe[1184] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 01440000
.text C:Windowssystem32svchost.exe[1184] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 01440FB9
.text C:Windowssystem32svchost.exe[1184] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01450000
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00A700AE
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00A7009D
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00A700DA
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00A700C9
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00A7008C
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00A70039
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00A7006F
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00A7005E
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00A70F8D
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00A70FB2
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00A70FCD
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00A70F7C
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00A700F5
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00A70FEF
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00A70000
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00A70FDE
.text C:Windowssystem32svchost.exe[1308] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00A70F4D
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00A20FB7
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!system 76828B63 5 Bytes JMP 00A20042
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00A2000C
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00A20FE3
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00A20027
.text C:Windowssystem32svchost.exe[1308] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00A20FD2
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 008C0FB9
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 008C004A
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 008C000A
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 008C005B
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 008C0076
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 008C0FE5
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 008C001B
.text C:Windowssystem32svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 008C0FD4
.text C:Windowssystem32svchost.exe[1308] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A80000
.text C:Windowssystem32svchost.exe[1308] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A8001B
.text C:Windowssystem32svchost.exe[1308] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A80FE5
.text C:Windowssystem32svchost.exe[1308] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A80FCA
.text C:Windowssystem32svchost.exe[1308] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00A90FEF
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00C500CB
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00C500B0
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00C50F59
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00C500E6
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00C50F8F
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00C5002C
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00C50069
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00C5004E
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00C5008E
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00C50FAC
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00C5003D
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00C5009F
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00C5010B
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00C50FEF
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00C50000
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00C5001B
.text C:Windowssystem32svchost.exe[1448] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00C50F6A
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00C0006B
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!system 76828B63 5 Bytes JMP 00C00050
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00C0002E
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00C00000
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00C0003F
.text C:Windowssystem32svchost.exe[1448] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00C0001D
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020065
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FD4
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020FC3
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020FB2
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020036
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0002001B
.text C:Windowssystem32svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020FE5
.text C:Windowssystem32svchost.exe[1448] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00CA0FEF
.text C:Windowssystem32svchost.exe[1448] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00CA0FCA
.text C:Windowssystem32svchost.exe[1448] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00CA0000
.text C:Windowssystem32svchost.exe[1448] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00CA0FAF
.text C:Windowssystem32svchost.exe[1448] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0104000A
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00A4005B
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00A40F1F
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00A40076
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00A40EDF
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00A40F5C
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00A4002C
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00A40F83
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00A40FAF
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00A40F41
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00A40F94
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00A40FC0
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00A40F30
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!GetProcAddress 768CB8B6 1 Byte [E9]
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!GetProcAddress + 3 768CB8B9 2 Bytes [17, 8A]
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00A40011
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00A40000
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00A40FE5
.text C:Windowssystem32svchost.exe[1596] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00A40EF0
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00930064
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!system 76828B63 5 Bytes JMP 00930053
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 0093001D
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00930FEF
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00930038
.text C:Windowssystem32svchost.exe[1596] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 0093000C
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00780FB9
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00780FD4
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00780FEF
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0078005B
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00780080
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00780025
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0078000A
.text C:Windowssystem32svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00780036
.text C:Windowssystem32svchost.exe[1596] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A90000
.text C:Windowssystem32svchost.exe[1596] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A9001B
.text C:Windowssystem32svchost.exe[1596] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A90FDB
.text C:Windowssystem32svchost.exe[1596] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A90FCA
.text C:Windowssystem32svchost.exe[1596] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00BE0FE5
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00CA0F37
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00CA007D
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00CA0F0B
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00CA0098
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00CA0062
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00CA0FAF
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00CA0F7E
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00CA0036
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00CA0F6D
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00CA0047
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00CA001B
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00CA0F52
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00CA0EF0
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00CA0FE5
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00CA0000
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00CA0FCA
.text C:Windowssystem32svchost.exe[1868] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00CA0F1C
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00C40042
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!system 76828B63 5 Bytes JMP 00C40FB7
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00C40FD2
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00C4000C
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00C40027
.text C:Windowssystem32svchost.exe[1868] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00C40FE3
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00760047
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00760FA5
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00760000
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0076002C
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00760062
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00760FCA
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00760FDB
.text C:Windowssystem32svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0076001B
.text C:Windowssystem32svchost.exe[1868] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01580000
.text C:Windowssystem32svchost.exe[1868] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01580FE5
.text C:Windowssystem32svchost.exe[1868] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0158001B
.text C:Windowssystem32svchost.exe[1868] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 01580FD4
.text C:Windowssystem32svchost.exe[1868] WS2_32.dll!socket 77D236D1 3 Bytes JMP 015E0000
.text C:Windowssystem32svchost.exe[1868] WS2_32.dll!socket + 4 77D236D5 1 Byte [89]
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 0087007A
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00870069
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008700A6
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00870F0F
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00870F48
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00870FB9
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00870F6F
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 0087002C
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 0087003D
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00870F8A
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 0087001B
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 0087004E
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00870EFE
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00870FDE
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00870FEF
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 0087000A
.text C:Windowssystem32svchost.exe[2196] kernel32.dll!WinExec 769154FF 5 Bytes JMP 0087008B
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 006F0047
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!system 76828B63 5 Bytes JMP 006F0036
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 006F000A
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 006F0FEF
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 006F0025
.text C:Windowssystem32svchost.exe[2196] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 006F0FD2
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00010FA8
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00010FB9
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00010FEF
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0001004A
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00010F97
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00010FD4
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0001000A
.text C:Windowssystem32svchost.exe[2196] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00010025
.text C:Windowssystem32svchost.exe[2196] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00880000
.text C:Windowssystem32svchost.exe[2196] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00880025
.text C:Windowssystem32svchost.exe[2196] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00880FEF
.text C:Windowssystem32svchost.exe[2196] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00880036
.text C:Windowssystem32svchost.exe[2196] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00890FE5
.text C:WindowsExplorer.EXE[2528] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 0022000A
.text C:WindowsExplorer.EXE[2528] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0023000A
.text C:WindowsExplorer.EXE[2528] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 0021000A
.text C:WindowsExplorer.EXE[2528] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 03A10093
.text C:WindowsExplorer.EXE[2528] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 03A10078
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 03A10F17
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 03A10F28
.text C:WindowsExplorer.EXE[2528] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 03A10031
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 03A10FA8
.text C:WindowsExplorer.EXE[2528] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 03A10F57
.text C:WindowsExplorer.EXE[2528] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 03A1000A
.text C:WindowsExplorer.EXE[2528] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 03A10042
.text C:WindowsExplorer.EXE[2528] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 03A10F68
.text C:WindowsExplorer.EXE[2528] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 03A10F83
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 03A1005D
.text C:WindowsExplorer.EXE[2528] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 03A100C9
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 03A10FCA
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 03A10FE5
.text C:WindowsExplorer.EXE[2528] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 03A10FB9
.text C:WindowsExplorer.EXE[2528] kernel32.dll!WinExec 769154FF 5 Bytes JMP 03A100A4
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 02400051
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0240002F
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 02400FEF
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 02400040
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 02400F94
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 02400014
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 02400FD4
.text C:WindowsExplorer.EXE[2528] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 02400FC3
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 03A00F9A
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!system 76828B63 5 Bytes JMP 03A0002F
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 03A00000
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 03A00FE3
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 03A00FB5
.text C:WindowsExplorer.EXE[2528] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 03A00FD2
.text C:WindowsExplorer.EXE[2528] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 03A20000
.text C:WindowsExplorer.EXE[2528] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 03A2002C
.text C:WindowsExplorer.EXE[2528] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 03A2001B
.text C:WindowsExplorer.EXE[2528] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 03A20FDB
.text C:WindowsExplorer.EXE[2528] WS2_32.dll!socket 77D236D1 5 Bytes JMP 03CF0000
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 012C0F66
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 012C00B6
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 012C0F44
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 012C0F55
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 012C0F9C
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 012C0FC3
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 012C0080
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 012C0054
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 012C0091
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 012C006F
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 012C002F
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 012C0F81
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 012C00F6
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 012C000A
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 012C0FEF
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 012C0FD4
.text C:Windowssystem32svchost.exe[2572] kernel32.dll!WinExec 769154FF 5 Bytes JMP 012C00C7
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 01230F7A
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!system 76828B63 5 Bytes JMP 01230F8B
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 01230FB7
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 01230FE3
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 01230FA6
.text C:Windowssystem32svchost.exe[2572] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 01230FD2
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 011B006C
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 011B0051
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 011B0000
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 011B0FC0
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 011B0FA5
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 011B0025
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 011B0FEF
.text C:Windowssystem32svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 011B0040
.text C:Windowssystem32svchost.exe[2572] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01310FEF
.text C:Windowssystem32svchost.exe[2572] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01310FD4
.text C:Windowssystem32svchost.exe[2572] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0131000A
.text C:Windowssystem32svchost.exe[2572] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 0131002F
.text C:Windowssystem32svchost.exe[2572] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01360FE5
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 001A008C
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 001A0F46
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001A0EFF
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001A0F1A
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 001A0060
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 001A0FB2
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 001A004F
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 001A0028
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 001A0F61
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 001A0F86
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 001A0F97
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 001A0071
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 001A0EEE
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 001A0FD4
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 001A0FE5
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 001A0FC3
.text C:Windowssystem32svchost.exe[2712] kernel32.dll!WinExec 769154FF 5 Bytes JMP 001A0F2B
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00190044
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!system 76828B63 5 Bytes JMP 00190033
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00190FCD
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00190FEF
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00190022
.text C:Windowssystem32svchost.exe[2712] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00190FDE
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 0002006C
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FCA
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020051
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020FAF
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FE5
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0002001B
.text C:Windowssystem32svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020036
.text C:Windowssystem32svchost.exe[2712] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 000A0000
.text C:Windowssystem32svchost.exe[2712] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 000A0FD4
.text C:Windowssystem32svchost.exe[2712] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 000A0FE5
.text C:Windowssystem32svchost.exe[2712] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 000A001B
.text C:Windowssystem32svchost.exe[2712] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0001000A
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 001B008C
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 001B0F46
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001B0F1A
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001B00A7
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 001B0060
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 001B001E
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 001B0F86
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 001B0FB2
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 001B0F6B
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 001B0F97
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 001B002F
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 001B007B
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 001B00C2
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 001B0FDE
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 001B0FEF
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 001B0FCD
.text C:WindowsSystem32svchost.exe[2740] kernel32.dll!WinExec 769154FF 5 Bytes JMP 001B0F2B
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 001A0FC3
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!system 76828B63 5 Bytes JMP 001A0FD4
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 001A0029
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 001A0FEF
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 001A003A
.text C:WindowsSystem32svchost.exe[2740] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 001A0018
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020F8D
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FB9
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 0002000A
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020F9E
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020F72
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FEF
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00020025
.text C:WindowsSystem32svchost.exe[2740] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020FD4
.text C:WindowsSystem32svchost.exe[2740] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00310000
.text C:WindowsSystem32svchost.exe[2740] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00310FDE
.text C:WindowsSystem32svchost.exe[2740] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00310FEF
.text C:WindowsSystem32svchost.exe[2740] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 0031002F

---- Devices - GMER 1.0.15 ----

AttachedDevice FileSystemNtfs Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> DriveriaStor DeviceHarddisk0DR0 8542FEE4

---- Files - GMER 1.0.15 ----

File C:Windowssystem32driverspci.sys suspicious modification
File C:Windowssystem32driversiaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I did finally find my Conbofix log -

ComboFix 10-05-04.01 - Gary 05/04/2010 17:45:57.1.4 - x86
Microsoft® Windows Vistaâ„¢ Business 6.0.6001.1.1252.1.1033.18.3070.2197 [GMT -4:00]
Running from: EATON-SERVERRedirectedFoldersGaryMy DocumentsdownloadComboFix.exe
AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
SP: Total Protection Service *enabled* (Updated) {DEBE977C-6A5A-49CC-937A-9E8BB3202260}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:$recycle.binS-1-5-21-1926026124-797753282-3819704201-500
c:$recycle.binS-1-5-21-749319590-374604560-827466395-1001
c:$recycle.binS-1-5-21-749319590-374604560-827466395-500
c:programdataMicrosoftNetworkDownloaderqmgr0.dat
c:programdataMicrosoftNetworkDownloaderqmgr1.dat
c:windowssystem32557932707.dat
c:windowssystem32twain.dll

----- BITS: Possible infected sites -----

hxxp://eaton-server:8530
Infected copy of c:windowssystem32DRIVERSrasacd.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-04 21:53 . 2010-05-04 21:53 32 ----a-w- c:windowssystem32557932707.dat
2010-05-04 21:51 . 2010-05-04 21:53 -------- d-----w- c:usersgaryAppDataLocaltemp
2010-05-04 13:50 . 2010-05-04 15:19 -------- d-----w- c:program filesWindows Live Safety Center
2010-04-15 12:47 . 2010-02-23 11:32 105984 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-15 12:47 . 2010-02-23 11:32 212992 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-15 12:47 . 2010-02-23 11:32 78848 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-15 12:47 . 2010-02-18 17:36 3600776 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-15 12:47 . 2010-02-18 17:36 3548560 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-15 12:46 . 2010-03-04 18:54 430080 ----a-w- c:windowssystem32vbscript.dll
2010-04-15 12:46 . 2009-12-23 12:43 171520 ----a-w- c:windowssystem32wintrust.dll
2010-04-15 12:45 . 2010-02-18 14:11 190464 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-15 12:45 . 2010-02-18 11:52 25088 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-15 12:45 . 2010-02-18 14:49 898952 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-15 12:45 . 2010-01-15 00:04 98304 ----a-w- c:windowssystem32cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 21:53 . 2009-07-30 15:58 -------- d-----w- c:program filesCyberPower PowerPanel Personal Edition
2010-05-04 21:51 . 2009-08-25 18:49 12 ----a-w- c:windowsbthservsdp.dat
2010-04-26 13:01 . 2010-03-28 17:59 439816 ----a-w- c:usersgaryAppDataRoamingRealUpdatesetup3.10setup.exe
2010-04-19 19:06 . 2009-07-30 15:39 -------- d-----w- c:programdataMicrosoft Help
2010-04-15 13:11 . 2009-07-31 16:58 7592 ----a-w- c:usersgaryAppDataLocald3d9caps.dat
2010-03-09 16:28 . 2010-04-01 12:57 833024 ----a-w- c:windowssystem32wininet.dll
2010-03-09 16:25 . 2010-04-01 12:57 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-09 14:01 . 2010-04-01 12:57 26624 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-24 14:16 . 2009-12-11 17:37 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 13:48 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:37 . 2010-03-11 13:48 31232 ----a-w- c:windowssystem32httpapi.dll
2010-02-20 21:18 . 2010-03-11 13:48 411136 ----a-w- c:windowssystem32drivershttp.sys
2006-05-03 10:06 . 2010-03-02 19:29 163328 --sh--r- c:windowsSystem32flvDX.dll
2007-02-21 11:47 . 2010-03-02 19:29 31232 --sh--r- c:windowsSystem32msfDX.dll
2008-03-16 13:30 . 2010-03-02 19:29 216064 --sh--r- c:windowsSystem32nbDX.dll
2009-06-06 06:35 . 2009-06-06 06:33 8192 --sha-w- c:windowsUsersDefaultNTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Sidebar"="c:program filesWindows Sidebarsidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Windows Defender"="c:program filesWindows DefenderMSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-19 6265376]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2008-12-22 13576736]
"IAAnotif"="c:program filesIntelIntel Matrix Storage Manageriaanotif.exe" [2008-12-04 186904]
"dscactivate"="c:program filesDell Support Centergs_agentcustomdsca.exe" [2008-03-11 16384]
"MVS Splash"="c:program filesMcAfeeManaged VirusScanDesktopUIXTray.exe" [2010-04-05 476480]
"PDVDDXSrv"="c:program filesCyberLinkPowerDVD DXPDVDDXSrv.exe" [2009-02-05 128232]
"DellSupportCenter"="c:program filesDell Support Centerbinsprtcmd.exe" [2009-05-21 206064]
"GrooveMonitor"="c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe" [2008-10-25 31072]
"Windows Mobile Device Center"="c:windowsWindowsMobilewmdc.exe" [2007-05-31 648072]
"Microsoft Works Update Detection"="c:program filesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe" [2003-06-07 50688]
"SSBkgdUpdate"="c:program filesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:program filesScanSoftPaperPortpptd40nt.exe" [2008-07-10 29984]
"PPort11reminder"="c:program filesScanSoftPaperPortEregEreg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:program filesBrotherBrmfcmonBrMfcWnd.exe" [2008-11-13 1122304]
"ControlCenter3"="c:program filesBrotherControlCenter3brctrcen.exe" [2008-08-12 114688]
"TkBellExe"="c:program filesCommon FilesRealUpdate_OBrealsched.exe" [2009-11-27 198160]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 9.0ReaderReader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-03-24 952768]

c:usersgaryAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
OneNote 2007 Screen Clipper and Launcher.lnk - c:program filesMicrosoft OfficeOffice12ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@="Service"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeFirewall]
"DisableMonitoring"=dword:00000001

R2 DnscacheSamSs;DNS Client DnscacheSamSs;c:windowssystem32acluiz.exe [2008-01-21 66560]
R2 PcaSvcwscsvc;Program Compatibility Assistant Service PcaSvcwscsvc;c:windowssystem32advapi32l.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:windowssystem32AERTSrv.exe [2008-08-19 81920]
S2 EngineServer;EngineServer;c:program filesMcAfeeManaged VirusScanVScanEngineServer.exe [2009-12-15 14144]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:program filesMcAfeeManaged VirusScanAgentmyAgtSvc.exe [2010-04-05 282824]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:windowssystem32DRIVERSRtNdPt60.sys [2008-08-19 27648]


[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:windowsTasksRtlNICDiagVistaStart.job
- c:program filesRealtekRTNICDiagRTNICDiag.exe [2009-06-06 07:02]

2010-05-04 c:windowsTasksUser_Feed_Synchronization-{CAEA1967-C2C9-4BAE-93A4-DD03B90E0FDA}.job
- c:windowssystem32msfeedssync.exe [2008-01-21 02:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:progra~1MI1933~1Office12EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com*
Trusted Zone: mcafeeasap.combetavscan
Trusted Zone: mcafeeasap.comvs
Trusted Zone: mcafeeasap.comwww
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-MVS - c:progra~1McAfeeMANAGE~1Agentmyinx



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 17:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINESOFTWAREPervasive SoftwarePSQL]
@Denied: ) (Everyone)
@=""
.
------------------------ Other Running Processes ------------------------
.
c:windowssystem32nvvsvc.exe
c:windowssystem32rundll32.exe
c:progra~1McAfeeMANAGE~1VScanMcShield.exe
c:program filesMcAfeeMPFMPFSrv.exe
c:program filesCyberPower PowerPanel Personal Editionppped.exe
c:program filesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
c:program filesDell Support Centerbinsprtsvc.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTMon.exe
c:windowssystem32WUDFHost.exe
c:windowsRtHDVCpl.exe
c:program filesBrotherBrmfcmonBrMfimon.exe
c:?c:windowssystem32wbemWMIADAP.EXE
c:windowsservicingTrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-04 17:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 21:58

Pre-Run: 226,937,413,632 bytes free
Post-Run: 227,346,096,128 bytes free

- - End Of File - - 733385B886ABA50965AB4D2B4B6118F4

Edited by Orange Blossom, 11 May 2010 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 13 May 2010 - 01:39 AM

Hello, GEA@Eaton
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 13 May 2010 - 01:13 PM

Hi Tom, welcome to my problem! Thanks for helping. Following are new Gmer logs that i ran today - just so you know, my computer does not like Gmer - windows crashes about 9 out of 10 times I try to run it. The other 1 time Gmer will stop running with an error message and shut down. The full scan that I list below is truncated at the point where Gmer usually starts to have problems - hope its enough to help you.

Also - I am starting to get periodic Windows messages that say: "Host Process for Windows Services Stopped Working and was Closed"

Quick Scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-13 11:22:58
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F26479E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F264738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F26474C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F2647DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F264710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F264724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F2647B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F26478A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F264776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F26480B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F2647F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F2647C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F264762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8542AEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Full Scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-13 11:50:18
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F41D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F41D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F41D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F41D7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F41D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F41D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F41D7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F41D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F41D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F41D80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F41D7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F41D7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F41D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E5D1F0 5 Bytes JMP 8F41D7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81FFFF40 5 Bytes JMP 8F41D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8201A0F6 5 Bytes JMP 8F41D80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 82039380 5 Bytes JMP 8F41D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82048D0B 5 Bytes JMP 8F41D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8205B96C 7 Bytes JMP 8F41D7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8205BFC3 5 Bytes JMP 8F41D7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8205E1D4 5 Bytes JMP 8F41D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8206B892 5 Bytes JMP 8F41D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8206DAEC 7 Bytes JMP 8F41D7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820CB7B7 5 Bytes JMP 8F41D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820CB802 7 Bytes JMP 8F41D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820CC2BF 5 Bytes JMP 8F41D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\pci.sys entry point in ".rsrc" section [0x8070D014]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E208340, 0x3CFE17, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 008000C7
.text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 008000AC
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00800F44
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00800F55
.text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00800087
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00800FCA
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00800FA3
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00800047
.text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00800F92
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00800062
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00800036
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00800F81
.text C:\Windows\system32\services.exe[668] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00800100
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00800025
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 0080000A
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00800FE5
.text C:\Windows\system32\services.exe[668] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00800F70
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00850F83
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 0085001B
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00850FEF
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00850F94
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00850F72
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00850FD4
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 0085000A
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00850FAF
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 008B0036
.text C:\Windows\system32\services.exe[668] msvcrt.dll!system 760C8B63 5 Bytes JMP 008B0FAB
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 008B000A
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 008B001B
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 008B0FC6
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00A1000A
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00A1002F
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00A10FDE
.text C:\Windows\system32\services.exe[668] WS2_32.dll!socket 760436D1 5 Bytes JMP 008A0FE5
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 000500BD
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 000500AC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00050F52
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 000500E9
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00050076
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00050FC3
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00050065
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 0005004A
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00050087
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00050FA8
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00050039
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00050F77
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00050F41
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00050FEF
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00050000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00050FDE
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 000500CE
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 0006002F
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00060F9E
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00060000
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00060F8D
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00060F72
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00060FD4
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00060FE5
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00060FB9
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 0078004C
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 760C8B63 5 Bytes JMP 00780FC1
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00780FD2
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00780FEF
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00780031
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 0078000C
.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 760436D1 5 Bytes JMP 00070000
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00790FE5
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00790FCA
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00790000
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 0079001B
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00020F8A
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 000200D0
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00020106
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00020F65
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00020089
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00020040
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00020FAF
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00020FCA
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 000200AE
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 0002006C
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00020051
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 000200BF
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00020121
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00020014
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 0002002F
.text C:\Windows\system32\svchost.exe[832] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 000200EB
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 005B0F9C
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!system 760C8B63 5 Bytes JMP 005B0FAD
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 005B0FD2
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 005B0000
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 005B001D
.text C:\Windows\system32\svchost.exe[832] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 005B0FEF
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 001D0FB6
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 001D0047
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 001D0058
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 001D0FA5
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 001D0025
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 001D0014
.text C:\Windows\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 001D0036
.text C:\Windows\system32\svchost.exe[832] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 005C000A
.text C:\Windows\system32\svchost.exe[832] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 005C0FDE
.text C:\Windows\system32\svchost.exe[832] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 005C0FEF
.text C:\Windows\system32\svchost.exe[832] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 005C0FCD
.text C:\Windows\system32\svchost.exe[832] WS2_32.dll!socket 760436D1 5 Bytes JMP 005A0000
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00D800B3
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00D80098
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00D800F0
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00D800DF
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00D80062
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00D80FB9
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00D80051
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00D8002F
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00D80F6D
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00D80040
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00D80FA8
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00D8007D
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00D80F3E
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00D8000A
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00D80FEF
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00D80FD4
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00D800CE
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00DF004E
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!system 760C8B63 5 Bytes JMP 00DF0FB9
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00DF0FDE
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00DF0029
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00DF000C
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00D90F83
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00D90FAF
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00D90FEF
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00D90F94
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00D90040
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00D9001B
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00D90FC0
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00E50FEF
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00E50FC3
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00E50FD4
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00E50014
.text C:\Windows\system32\svchost.exe[848] WS2_32.dll!socket 760436D1 5 Bytes JMP 00DE000A
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00290F4E
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00290F69
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00290F07
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00290F18
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00290F95
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00290FCD
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 0029006F
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00290043
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00290F7A
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00290054
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00290FBC
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 0029008A
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 002900B9
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00290FDE
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00290FEF
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 0029001E
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00290F29
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00780078
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!system 760C8B63 5 Bytes JMP 00780FE3
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00780038
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00780000
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00780049
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00780011
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00720FA8
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00720040
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00720FEF
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00720FB9
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 0072006F
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 0072001B
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 0072000A
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00720FCA
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 009A0FCA
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 009A0FB9
.text C:\Windows\system32\svchost.exe[956] WS2_32.dll!socket 760436D1 5 Bytes JMP 00730000
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 009A0F48
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 009A008E
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 009A0F01
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 009A0F12
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 009A0062
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 009A0FD4
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 009A0F88
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 009A0040
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 009A007D
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 009A0051
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 009A0FC3
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 009A0F6D
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 009A00B3
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 009A0FE5
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 009A0000
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 009A0025
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 009A0F37
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00A5001E
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!system 760C8B63 5 Bytes JMP 00A50F93
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00A50FB5
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00A50FEF
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00A50FA4
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00A50FD2
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 009B0F9E
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 009B0036
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 009B0FEF
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 009B0FB9
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 009B005B
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 009B0FD4
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 009B0014
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 009B0025
.text C:\Windows\System32\svchost.exe[1060] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00A6000A
.text C:\Windows\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00A60025
.text C:\Windows\System32\svchost.exe[1060] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00A60FEF
.text C:\Windows\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00A60040
.text C:\Windows\System32\svchost.exe[1060] WS2_32.dll!socket 760436D1 5 Bytes JMP 009C0FE5
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00DE00C9
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00DE00B8
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00DE011A
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00DE00FF
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00DE0F9E
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00DE0FE5
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00DE0078
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00DE0FCA
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00DE0F83
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00DE0FAF
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00DE0051
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00DE0093
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00DE0F68
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00DE0025
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00DE0000
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00DE0036
.text C:\Windows\System32\svchost.exe[1084] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00DE00EE
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00EC004C
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!system 760C8B63 5 Bytes JMP 00EC0031
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00EC0FC8
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00EC0FEF
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00EC0FB7
.text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00EC000C
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00E60FA5
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00E60FD1
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00E60000
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00E60FB6
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00E60F94
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00E6002C
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00E60011
.text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00E6003D
.text C:\Windows\System32\svchost.exe[1084] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00F90000
.text C:\Windows\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00F90011
.text C:\Windows\System32\svchost.exe[1084] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00F90FE5
.text C:\Windows\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00F90FC0
.text C:\Windows\System32\svchost.exe[1084] WS2_32.dll!socket 760436D1 5 Bytes JMP 00E70FE5
.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77348968 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 0064000A
.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 773499E8 5 Bytes JMP 0062000A
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 01260F6B
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 012600A7
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 012600E7
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 01260F46
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 01260F90
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 0126002F
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 01260FA1
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 01260FCD
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 0126007B
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 01260FB2
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 01260054
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 0126008C
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 01260F35
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 01260FDE
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 01260FEF
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 01260014
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 012600C2
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 012D0053
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!system 760C8B63 5 Bytes JMP 012D0042
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 012D0FE3
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 012D0000
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 012D0FC8
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 012D0011
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 012B0FAF
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 012B0036
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 012B0000
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 012B0051
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 012B0F94
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 012B0FDB
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 012B0011
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 012B0FCA
.text C:\Windows\system32\svchost.exe[1144] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 015F0FEF
.text C:\Windows\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 015F001B
.text C:\Windows\system32\svchost.exe[1144] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 015F000A
.text C:\Windows\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 015F0FD4
.text C:\Windows\system32\svchost.exe[1144] WS2_32.dll!socket 760436D1 5 Bytes JMP 012C0FEF
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00CB00D8
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00CB0F88
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00CB0104
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00CB0F6D
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00CB0FAD
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00CB0036
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00CB0FCA
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00CB006C
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00CB00A2
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00CB007D
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00CB005B
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00CB00B3
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00CB0F52
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00CB000A
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00CB0FEF
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00CB001B
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00CB00E9
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00E20FA3
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!system 760C8B63 5 Bytes JMP 00E2002E
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00E20FD2
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00E20000
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00E2001D
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00E20FE3
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00CC002C
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00CC001B
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00CC0000
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00CC0F8A
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00CC0F79
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00CC0FCA
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00CC0FE5
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00CC0FB9
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00E30FEF
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00E30FB9
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00E30FDE
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00E30FA8
.text C:\Windows\system32\svchost.exe[1312] WS2_32.dll!socket 760436D1 5 Bytes JMP 00E10FEF
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00020065
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00020F1F
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 0002009B
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 0002008A
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00020F52
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00020FAF
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 0002002C
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00020F79
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00020F41
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 0002001B
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00020F94
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00020F30
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 000200AC
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 0002000A
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00020F0E
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00B50FB9
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!system 760C8B63 5 Bytes JMP 00B50044
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00B50FD4
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00B50000
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00B50029
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00B50FEF
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00AA006F
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00AA0FCD
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00AA0FEF
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00AA004A
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00AA0080
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00AA001E
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00AA0FDE
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00AA0039
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00B6000A
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00B60FE5
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00B6001B
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00B60040
.text C:\Windows\system32\svchost.exe[1464] WS2_32.dll!socket 760436D1 5 Bytes JMP 00B40000
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 002900B2
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 002900A1
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 002900EF
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 002900DE
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00290064
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 0029001B
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00290F8A
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00290FAF
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00290075
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00290047
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00290036
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00290086
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00290F3D
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 0029000A
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00290FEF
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00290FD4
.text C:\Windows\system32\svchost.exe[1568] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 002900CD
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00800FB9
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!system 760C8B63 5 Bytes JMP 00800044
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00800FDE
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00800FEF
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00800029
.text C:\Windows\system32\svchost.exe[1568] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 0080000C
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 007A006C
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 007A005B
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 007A0000
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 007A0FD4
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 007A007D
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 007A0FEF
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 007A0025
.text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 007A0040
.text C:\Windows\system32\svchost.exe[1568] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00810000
.text C:\Windows\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00810FCA
.text C:\Windows\system32\svchost.exe[1568] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00810FDB
.text C:\Windows\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00810FAF
.text C:\Windows\system32\svchost.exe[1568] WS2_32.dll!socket 760436D1 5 Bytes JMP 007B0FEF
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 007100BA
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00710F7E
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00710F48
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00710F59
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00710F99
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00710025
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 0071007D
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00710051
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 0071008E
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00710062
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00710036
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 0071009F
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00710F37
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00710FE5
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00710000
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00710FD4
.text C:\Windows\system32\svchost.exe[1864] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 007100D5
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 0078004E
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!system 760C8B63 5 Bytes JMP 00780033
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 00780FD7
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00780000
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00780022
.text C:\Windows\system32\svchost.exe[1864] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 00780011
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00760036
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00760F94
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00760025
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00760F6F
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00760000
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00760FD4
.text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00760FAF
.text C:\Windows\system32\svchost.exe[1864] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 009A0FE5
.text C:\Windows\system32\svchost.exe[1864] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 009A0FB9
.text C:\Windows\system32\svchost.exe[1864] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 009A0FCA
.text C:\Windows\system32\svchost.exe[1864] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 009A0FA8
.text C:\Windows\system32\svchost.exe[1864] WS2_32.dll!socket 760436D1 5 Bytes JMP 00770000
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 001500A2
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00150087
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00150F1F
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00150F30
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00150051
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00150040
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00150F83
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00150FB9
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00150F5C
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00150F94
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00150FCA
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00150076
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 001500D1
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00150014
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00150FEF
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00150025
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00150F4B
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 002F0FB0
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!system 760C8B63 5 Bytes JMP 002F0FC1
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 002F0FE3
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 002F0FD2
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 002F0011
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00290065
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00290FCD
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00290000
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 0029004A
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00290080
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 0029002F
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00290FEF
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00290FDE
.text C:\Windows\system32\svchost.exe[2068] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00300000
.text C:\Windows\system32\svchost.exe[2068] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 0030001B
.text C:\Windows\system32\svchost.exe[2068] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00300FE5
.text C:\Windows\system32\svchost.exe[2068] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 0030002C
.text C:\Windows\system32\svchost.exe[2068] WS2_32.dll!socket 760436D1 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00FB00AB
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00FB0F65
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00FB0F25
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00FB0F40
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00FB0F80
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00FB002C
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00FB0F9B
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00FB004E
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00FB0075
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00FB0FAC
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00FB003D
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00FB0090
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00FB0F0A
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00FB001B
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00FB0000
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00FB0FE5
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00FB00BC
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 012D0055
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!system 760C8B63 5 Bytes JMP 012D0FC0
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 012D0029
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 012D0FEF
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 012D003A
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 012D000C
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 01230FAF
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 01230051
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 01230FEF
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 01230FCA
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 0123006C
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 01230025
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 01230014
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 01230036
.text C:\Windows\system32\svchost.exe[2272] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 01320FEF
.text C:\Windows\system32\svchost.exe[2272] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 0132002F
.text C:\Windows\system32\svchost.exe[2272] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 01320014
.text C:\Windows\system32\svchost.exe[2272] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 01320FDE
.text C:\Windows\system32\svchost.exe[2272] WS2_32.dll!socket 760436D1 5 Bytes JMP 01240FEF
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 000200C9
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 000200AE
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 000200EB
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00020F54
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00020F8D
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00020025
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00020F9E
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00020051
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!VirtualProtectEx 75D08D7E 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00020082
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00020FAF
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00020040
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00020093
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00020106
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 0002000A
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00020FE5
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00020FD4
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 000200DA
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 00270F92
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!system 760C8B63 5 Bytes JMP 00270FAD
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 0027001D
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 00270FEF
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 00270FBE
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 0027000C
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00150FAF
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00150FC0
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00150FE5
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00150051
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00150F9E
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00150011
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00150000
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 0015002C
.text C:\Windows\System32\svchost.exe[2336] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00280000
.text C:\Windows\System32\svchost.exe[2336] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00280FDE
.text C:\Windows\System32\svchost.exe[2336] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00280FEF
.text C:\Windows\System32\svchost.exe[2336] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00280FB9
.text C:\Windows\Explorer.EXE[3064] ntdll.dll!NtProtectVirtualMemory 77348968 5 Bytes JMP 007B000A
.text C:\Windows\Explorer.EXE[3064] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 007C000A
.text C:\Windows\Explorer.EXE[3064] ntdll.dll!KiUserExceptionDispatcher 773499E8 5 Bytes JMP 007A000A
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 00BD0096
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 00BD0F50
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00BD00DD
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 00BD00C2
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00BD0F86
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 00BD002F
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00BD0F97
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 00BD0054
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 00BD0071
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00BD0FB2
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00BD0FC3
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00BD0F6B
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 00BD0F21
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00BD0014
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00BD0FEF
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 00BD0FDE
.text C:\Windows\Explorer.EXE[3064] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 00BD00B1
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 00BE0051
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 00BE0025
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 00BE0FEF
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 00BE0036
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 00BE0062
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 00BE0FD4
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 00BE000A
.text C:\Windows\Explorer.EXE[3064] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 00BE0FC3
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 03C7004A
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!system 760C8B63 5 Bytes JMP 03C70FB5
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 03C70000
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 03C70FEF
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 03C70025
.text C:\Windows\Explorer.EXE[3064] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 03C70FD2
.text C:\Windows\Explorer.EXE[3064] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 03C80000
.text C:\Windows\Explorer.EXE[3064] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 03C80036
.text C:\Windows\Explorer.EXE[3064] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 03C8001B
.text C:\Windows\Explorer.EXE[3064] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 03C80FEF
.text C:\Windows\Explorer.EXE[3064] WS2_32.dll!socket 760436D1 5 Bytes JMP 031B0000
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!GetStartupInfoW 75CE1929 5 Bytes JMP 000200A4
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!GetStartupInfoA 75CE19C9 5 Bytes JMP 0002007F
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateProcessW 75CE1C01 5 Bytes JMP 00020F25
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateProcessA 75CE1C36 5 Bytes JMP 000200C6
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!VirtualProtect 75CE1DD1 5 Bytes JMP 00020F6F
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateNamedPipeW 75CE5C44 5 Bytes JMP 0002001B
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!LoadLibraryExW 75D030C3 5 Bytes JMP 00020053
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!LoadLibraryW 75D0361F 5 Bytes JMP 0002002C
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!VirtualProtectEx 75D08D7E 5 Bytes JMP 0002006E
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!LoadLibraryExA 75D09469 5 Bytes JMP 00020F8A
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!LoadLibraryA 75D09491 5 Bytes JMP 00020FAF
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreatePipe 75D10284 5 Bytes JMP 00020F5E
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!GetProcAddress 75D2B8B6 5 Bytes JMP 000200D7
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateFileW 75D2CC4E 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateFileA 75D2CF71 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!CreateNamedPipeA 75D7430E 5 Bytes JMP 0002000A
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!WinExec 75D754FF 5 Bytes JMP 000200B5
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!_wsystem 760C8A47 5 Bytes JMP 000A0F95
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!system 760C8B63 5 Bytes JMP 000A0020
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!_creat 760CC6F1 5 Bytes JMP 000A0FC1
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!_open 760CDA7E 5 Bytes JMP 000A0FE3
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!_wcreat 760CDC9E 5 Bytes JMP 000A0FA6
.text C:\Windows\system32\svchost.exe[4088] msvcrt.dll!_wopen 760CDE79 5 Bytes JMP 000A0FD2
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyExA 75EFB5E7 5 Bytes JMP 000B006C
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyA 75EFB8AE 5 Bytes JMP 000B0036
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyA 75F00BF5 5 Bytes JMP 000B000A
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyW 75F0B83D 5 Bytes JMP 000B0051
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyExW 75F0BCE1 5 Bytes JMP 000B0FAF
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyExA 75F0D4E8 5 Bytes JMP 000B0FD4
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyW 75F13CB0 5 Bytes JMP 000B0FE5
.text C:\Windows\system32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyExW 75F1F09D 5 Bytes JMP 000B0025
.text C:\Windows\system32\svchost.exe[4088] WININET.dll!InternetOpenA 76EC0A4D 5 Bytes JMP 00110FEF
.text C:\Windows\system32\svchost.exe[4088] WININET.dll!InternetOpenUrlA 76EC2713 5 Bytes JMP 00110FCA
.text C:\Windows\system32\svchost.exe[4088] WININET.dll!InternetOpenW 76EC30C8 5 Bytes JMP 00110000
.text C:\Windows\system32\svchost.exe[4088] WININET.dll!InternetOpenUrlW 76F184F1 5 Bytes JMP 00110025
.text C:\Windows\system32\svchost.exe[4088] WS2_32.dll!socket 760436D1 5 Bytes JMP 00010FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8542FEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\pci.sys suspicious modification
File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 13 May 2010 - 04:13 PM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\Windows\system32\drivers\pci.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 16 May 2010 - 11:40 AM

OK - i ran Combofix as instructed, the scan seemed to run fine - however, when Combofix attempted to reboot the computer the 2nd time, windows would not boot and System Repair took over - system repair rebooted windows successfully however I was not able to locate the Combofix log - it did not seem to get to that point. Should I attempt to re-run Combofix?

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 17 May 2010 - 04:09 PM

No, please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 18 May 2010 - 05:06 PM

OK - here are Gmer scans from today:

Quick Scan

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-18 17:58:14
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x90E6D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x90E6D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x90E6D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x90E6D7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x90E6D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x90E6D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x90E6D7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x90E6D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x90E6D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x90E6D80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x90E6D7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x90E6D7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x90E6D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


Full Scan (as much as I could get the computer to do before crashing)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 17:59:38
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x90E6D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x90E6D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x90E6D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x90E6D7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x90E6D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x90E6D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x90E6D7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x90E6D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x90E6D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x90E6D80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x90E6D7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x90E6D7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x90E6D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E489D2 5 Bytes JMP 90E6D7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81FE6B82 5 Bytes JMP 90E6D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8200DDA3 5 Bytes JMP 90E6D80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8202D4FA 7 Bytes JMP 90E6D7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8202D7BD 5 Bytes JMP 90E6D7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82031528 5 Bytes JMP 90E6D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82036F3D 2 Bytes JMP 90E6D7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory + 3 82036F40 4 Bytes [E3, 0E, 90, 90] {JECXZ 0x10; NOP ; NOP }
PAGE ntkrnlpa.exe!NtOpenThread 8203915A 5 Bytes JMP 90E6D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8203DC08 5 Bytes JMP 90E6D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8205EE19 5 Bytes JMP 90E6D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820AE847 5 Bytes JMP 90E6D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820AE892 7 Bytes JMP 90E6D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820AF34F 5 Bytes JMP 90E6D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E403340, 0x3CFE17, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 001300F2
.text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00130FAC
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 0013012F
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00130114
.text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 001300A1
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 0013002C
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00130047
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 001300CD
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00130FC7
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00130069
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00130084
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00130058
.text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 001300BC
.text C:\Windows\system32\services.exe[664] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 00130140
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 0013001B
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00130000
.text C:\Windows\system32\services.exe[664] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00130103
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 0010005B
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00100FD4
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 0010000A
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00100FB9
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00100F9E
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00100036
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 0010001B
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00100FE5
.text C:\Windows\system32\services.exe[664] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 000F0FA1
.text C:\Windows\system32\services.exe[664] msvcrt.dll!system 7630804B 5 Bytes JMP 000F0FB2
.text C:\Windows\system32\services.exe[664] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 000F0FCD
.text C:\Windows\system32\services.exe[664] msvcrt.dll!_open 7630D106 5 Bytes JMP 000F0000
.text C:\Windows\system32\services.exe[664] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 000F0022
.text C:\Windows\system32\services.exe[664] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 000F0011
.text C:\Windows\system32\services.exe[664] WS2_32.dll!socket 766836D1 5 Bytes JMP 00120000
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 002200AC
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00220F66
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 002200D1
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00220F3A
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00220091
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00220FDE
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00220FCD
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00220F81
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00220076
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 0022004A
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 0022005B
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 0022002F
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00220F9C
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 002200EC
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00220FEF
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 0022000A
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00220F4B
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 000F0051
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 000F0FAF
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 000F000A
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 000F0036
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 000F0062
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 000F0FE5
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 000F001B
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 000F0FC0
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 000E0FD9
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!system 7630804B 5 Bytes JMP 000E005A
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 000E002E
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_open 7630D106 5 Bytes JMP 000E0000
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 000E003F
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 000E001D
.text C:\Windows\system32\lsass.exe[708] WS2_32.dll!socket 766836D1 5 Bytes JMP 00100000
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 009200D4
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 009200C3
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 00920F58
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 009200F9
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00920FAC
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 0092002C
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 009200B2
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 0092007A
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00920058
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00920069
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 0092003D
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 009200A1
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 00920F47
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00920FE5
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00920F73
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 008E002E
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!system 7630804B 5 Bytes JMP 008E0FAD
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 008E0FD2
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_open 7630D106 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 008E001D
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 008E0FEF
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00900047
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00900011
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00900036
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00900058
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00900FC0
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00900FDB
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00900FAF
.text C:\Windows\system32\svchost.exe[780] Ws2_32.dll!socket 766836D1 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[780] Wininet.dll!InternetOpenA 75F9D690 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\svchost.exe[780] Wininet.dll!InternetOpenW 75F9DB09 5 Bytes JMP 008B000A
.text C:\Windows\system32\svchost.exe[780] Wininet.dll!InternetOpenUrlA 75F9F3A4 5 Bytes JMP 008B0FD4
.text C:\Windows\system32\svchost.exe[780] Wininet.dll!InternetOpenUrlW 75FE6DDF 5 Bytes JMP 008B0025
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 005F00AC
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 005F0091
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 005F0F29
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 005F0F3A
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 005F0F81
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 005F0FD4
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 005F0025
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 005F0F66
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 005F005B
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 005F0040
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 005F0F9E
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 005F0FB9
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 005F0076
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 005F00DB
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 005F0014
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 005F0FEF
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 005F0F4B
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 005C005D
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!system 7630804B 5 Bytes JMP 005C0042
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 005C001D
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_open 7630D106 5 Bytes JMP 005C0FE3
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 005C0FC8
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 005C0000
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 005D0F9E
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 005D0FAF
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 005D0FE5
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 005D0036
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 005D0F83
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 005D0FD4
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 005D0000
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 005D0025
.text C:\Windows\system32\svchost.exe[896] WS2_32.dll!socket 766836D1 5 Bytes JMP 005E0000
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 007700D1
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 007700C0
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 007700F3
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00770F66
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 007700A5
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 0077002F
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00770040
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00770F95
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00770FCD
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00770076
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00770FDE
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00770065
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00770FA6
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 00770104
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00770FEF
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 0077000A
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 007700E2
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 000F0F9F
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!system 7630804B 5 Bytes JMP 000F0FB0
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 000F0FD2
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_open 7630D106 5 Bytes JMP 000F0FE3
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 000F0FC1
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 000F000C
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 0010003D
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00100FA5
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00100000
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 0010002C
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00100F80
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00100011
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00100FDB
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00100FC0
.text C:\Windows\system32\svchost.exe[968] WS2_32.dll!socket 766836D1 5 Bytes JMP 00650000
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 009000B5
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 009000A4
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 009000E1
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 009000D0
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 0090005D
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00900FD4
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00900025
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00900093
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00900F83
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00900F9E
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00900040
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00900FAF
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00900078
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 009000F2
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00900FE5
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00900000
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00900F54
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 0073002C
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!system 7630804B 5 Bytes JMP 00730FA1
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00730FC6
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_open 7630D106 5 Bytes JMP 00730FE3
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 0073001B
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00730000
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 008C0058
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 008C0047
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 008C0000
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 008C0FC0
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 008C0073
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 008C0036
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 008C001B
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 008C0FDB
.text C:\Windows\System32\svchost.exe[1108] WS2_32.dll!socket 766836D1 5 Bytes JMP 008D000A
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 009C0F29
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 009C0F3A
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 009C0EFD
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 009C0F0E
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 009C0F66
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 009C0011
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 009C0022
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 009C005B
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 009C0F77
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 009C0FA5
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 009C0F94
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 009C0FC0
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 009C0F4B
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 009C0EE2
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 009C0000
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 009C0FEF
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 009C008A
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00910F90
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!system 7630804B 5 Bytes JMP 00910FA1
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00910FD7
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_open 7630D106 5 Bytes JMP 00910000
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00910FB2
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00910011
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00960FB9
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00960FD4
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00960000
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 0096005B
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00960080
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 0096002C
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00960011
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00960FE5
.text C:\Windows\System32\svchost.exe[1136] WS2_32.dll!socket 766836D1 5 Bytes JMP 009B0FEF
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 01380089
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 01380078
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 013800AB
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 01380F14
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 01380F72
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 01380FCA
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 0138001B
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 01380F4D
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 01380F83
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 01380040
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 01380F9E
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 01380FB9
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 0138005D
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 013800C6
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 01380FE5
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 01380000
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 0138009A
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 01100070
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!system 7630804B 5 Bytes JMP 01100055
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 01100044
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_open 7630D106 5 Bytes JMP 01100000
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 01100FE5
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 01100029
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 01190FC3
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 0119004A
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 0119000A
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 01190065
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 01190FA8
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 01190025
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 01190FE5
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 01190FD4
.text C:\Windows\system32\svchost.exe[1148] WS2_32.dll!socket 766836D1 5 Bytes JMP 01320FEF
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 00180F8A
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 001800D0
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 00180F39
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00180F54
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00180FB6
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 0018001B
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00180036
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 001800AB
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00180084
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00180058
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00180073
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00180047
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00180F9B
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 001800EB
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00180F6F
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00070FB7
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!system 7630804B 5 Bytes JMP 00070FD2
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00070FE3
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_open 7630D106 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00070038
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 0008000A
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00080F83
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00080040
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00080F9E
.text C:\Windows\system32\svchost.exe[1236] WS2_32.dll!socket 766836D1 5 Bytes JMP 0009000A
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 00A20F46
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00A20F61
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 00A20F2B
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00A200B8
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00A20F7C
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00A20FC3
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00A20014
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00A2008C
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00A20F8D
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00A2004A
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00A20F9E
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00A2002F
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00A20071
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 00A200DD
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00A20FD4
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00A200A7
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 009F005D
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!system 7630804B 5 Bytes JMP 009F0042
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 009F0016
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_open 7630D106 5 Bytes JMP 009F0FEF
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 009F0027
.text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 009F0FDE
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00A00047
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00A00FC0
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00A00FA5
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00A00062
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00A0001B
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00A00036
.text C:\Windows\system32\svchost.exe[1384] WS2_32.dll!socket 766836D1 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\svchost.exe[1384] WinInet.dll!InternetOpenA 75F9D690 5 Bytes JMP 00370FEF
.text C:\Windows\system32\svchost.exe[1384] WinInet.dll!InternetOpenW 75F9DB09 5 Bytes JMP 0037000A
.text C:\Windows\system32\svchost.exe[1384] WinInet.dll!InternetOpenUrlA 75F9F3A4 5 Bytes JMP 00370FCA
.text C:\Windows\system32\svchost.exe[1384] WinInet.dll!InternetOpenUrlW 75FE6DDF 5 Bytes JMP 00370FB9
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 00250F4D
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00250093
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 002500D3
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00250F32
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00250F94
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 0025002C
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 0025003D
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00250F68
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00250FA5
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00250FC7
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00250FB6
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 0025004E
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00250F83
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 002500E4
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00250011
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00250000
.text C:\Windows\system32\svchost.exe[1556] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 002500B8
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00220040
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!system 7630804B 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00220FC6
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!_open 7630D106 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00220FB5
.text C:\Windows\system32\svchost.exe[1556] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00220FD7
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00230065
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00230FD4
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00230FC3
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00230FA8
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00230036
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 0023001B
.text C:\Windows\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[1556] WS2_32.dll!socket 766836D1 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 009B0F41
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 009B0087
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 009B0EFA
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 009B0F15
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 009B0058
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 009B0FCA
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 009B0FB9
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 009B0F5C
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 009B0047
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 009B0025
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 009B0036
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 009B0F9E
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 009B0F6D
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 009B0EE9
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 009B0000
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 009B0FEF
.text C:\Windows\system32\svchost.exe[1560] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 009B0F26
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00850F8B
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!system 7630804B 5 Bytes JMP 00850F9C
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00850FD2
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!_open 7630D106 5 Bytes JMP 00850000
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00850FB7
.text C:\Windows\system32\svchost.exe[1560] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00850FEF
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 008A0036
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 008A0025
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 008A0F94
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 008A0F6F
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 008A0FD4
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 008A000A
.text C:\Windows\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 008A0FB9
.text C:\Windows\system32\svchost.exe[1560] WS2_32.dll!socket 766836D1 5 Bytes JMP 00960000
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 0079007D
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 0079006C
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 00790EE6
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00790F01
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00790F66
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00790014
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00790FB9
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00790F37
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00790F83
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00790F94
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00790040
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00790025
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00790051
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 00790ECB
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00790FDE
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00790FEF
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00790F1C
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00750F8B
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!system 7630804B 5 Bytes JMP 00750F9C
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00750FD2
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_open 7630D106 5 Bytes JMP 00750000
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00750FAD
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00750FE3
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00760FB9
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00760040
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00760051
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00760080
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00760025
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00760014
.text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00760FD4
.text C:\Windows\system32\svchost.exe[1876] WS2_32.dll!socket 766836D1 5 Bytes JMP 00780FE5
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 038D0073
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 038D0062
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 038D00A9
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 038D0F12
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 038D0F4B
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 038D0FCD
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 038D0FB2
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 038D0051
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 038D0F66
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 038D002F
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 038D0F8D
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 038D001E
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 038D0040
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 038D0EF7
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 038D0FDE
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 038D0FEF
.text C:\Windows\Explorer.EXE[2132] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 038D0098
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 03830FA8
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 03830036
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 03830000
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 03830FB9
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 03830F97
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 0383001B
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 03830FE5
.text C:\Windows\Explorer.EXE[2132] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 03830FCA
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 037E003B
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!system 7630804B 5 Bytes JMP 037E0FB0
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 037E0FD2
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!_open 7630D106 5 Bytes JMP 037E0FEF
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 037E0FC1
.text C:\Windows\Explorer.EXE[2132] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 037E000C
.text C:\Windows\Explorer.EXE[2132] WININET.dll!InternetOpenA 75F9D690 5 Bytes JMP 037D0FEF
.text C:\Windows\Explorer.EXE[2132] WININET.dll!InternetOpenW 75F9DB09 5 Bytes JMP 037D0FDE
.text C:\Windows\Explorer.EXE[2132] WININET.dll!InternetOpenUrlA 75F9F3A4 5 Bytes JMP 037D0014
.text C:\Windows\Explorer.EXE[2132] WININET.dll!InternetOpenUrlW 75FE6DDF 5 Bytes JMP 037D0025
.text C:\Windows\Explorer.EXE[2132] WS2_32.dll!socket 766836D1 5 Bytes JMP 0388000A
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 002A0093
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 002A0F4D
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 002A00BF
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 002A00A4
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 002A005D
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 002A0FD4
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 002A002F
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 002A0F68
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 002A0F83
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 002A0040
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 002A0F9E
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 002A0FC3
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 002A0078
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 002A0F0D
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 002A0FE5
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 002A0000
.text C:\Windows\system32\svchost.exe[2660] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 002A0F32
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 000F003D
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!system 7630804B 5 Bytes JMP 000F002C
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 000F0FC6
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!_open 7630D106 5 Bytes JMP 000F0FE3
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 000F0011
.text C:\Windows\system32\svchost.exe[2660] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 000F0000
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00270FA8
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00270FCA
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00270000
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00270FB9
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 0027006F
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 0027002C
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 0027001B
.text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00270FDB
.text C:\Windows\system32\svchost.exe[2660] WS2_32.dll!socket 766836D1 5 Bytes JMP 00290FE5
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 01100098
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 01100F5C
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 011000CE
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 01100F37
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 01100F88
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 01100025
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 01100040
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 01100F77
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 0110006C
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 01100FC0
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 01100FAF
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 01100051
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 01100087
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 011000DF
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 01100FEF
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 0110000A
.text C:\Windows\system32\svchost.exe[2884] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 011000B3
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00DC0042
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!system 7630804B 5 Bytes JMP 00DC0FB7
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00DC0FE3
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!_open 7630D106 5 Bytes JMP 00DC0000
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00DC0FD2
.text C:\Windows\system32\svchost.exe[2884] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00DC001D
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00DE0FA5
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00DE0FC7
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00DE0FB6
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00DE0F94
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00DE0022
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00DE0011
.text C:\Windows\system32\svchost.exe[2884] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00DE0033
.text C:\Windows\system32\svchost.exe[2884] WS2_32.dll!socket 766836D1 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 000800B3
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00080F6D
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 000800D8
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00080F4B
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00080F92
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00080FE5
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00080FD4
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00080098
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00080FA3
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00080051
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 0008006C
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00080040
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 0008007D
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 000800E9
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00080011
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00080000
.text C:\Windows\System32\svchost.exe[3020] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00080F5C
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00050FBE
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!system 7630804B 5 Bytes JMP 00050049
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 0005001D
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!_open 7630D106 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00050038
.text C:\Windows\System32\svchost.exe[3020] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 0007005B
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00070FC3
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 0007004A
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00070FA8
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00070FDE
.text C:\Windows\System32\svchost.exe[3020] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 0007002F
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 00010F50
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00010096
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 000100D6
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 00010F3F
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00010056
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00010FCD
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00010F61
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00010F8D
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00010067
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 000100F1
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[3876] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 000100BB
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00050042
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!system 7630804B 5 Bytes JMP 00050FC1
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00050FD2
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!_open 7630D106 5 Bytes JMP 00050000
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 00050031
.text C:\Windows\system32\svchost.exe[3876] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00050FE3
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 0006005B
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00060040
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00060FB9
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00060F94
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 0006000A
.text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00060FCA
.text C:\Windows\system32\svchost.exe[3876] WS2_32.dll!socket 766836D1 5 Bytes JMP 0007000A
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!GetStartupInfoW 766B1929 5 Bytes JMP 0001009B
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!GetStartupInfoA 766B19C9 5 Bytes JMP 00010080
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateProcessW 766B1BF3 5 Bytes JMP 000100C7
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateProcessA 766B1C28 5 Bytes JMP 000100AC
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!VirtualProtect 766B1DC3 5 Bytes JMP 00010F55
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateNamedPipeA 766B2EF5 5 Bytes JMP 00010014
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateNamedPipeW 766B5C0C 5 Bytes JMP 00010FC3
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreatePipe 766D8E6E 5 Bytes JMP 00010065
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!LoadLibraryExW 766D9109 5 Bytes JMP 00010F66
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!LoadLibraryW 766D9362 5 Bytes JMP 00010F94
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!LoadLibraryExA 766D94B4 5 Bytes JMP 00010F83
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!LoadLibraryA 766D94DC 5 Bytes JMP 00010025
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!VirtualProtectEx 766DDBDA 5 Bytes JMP 00010054
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!GetProcAddress 766F903B 5 Bytes JMP 000100D8
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateFileW 766FAECB 5 Bytes JMP 00010FDE
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!CreateFileA 766FCE5F 5 Bytes JMP 00010FEF
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] kernel32.dll!WinExec 76745CF7 5 Bytes JMP 00010F30
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegCreateKeyExA 765539AB 5 Bytes JMP 00050F72
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegCreateKeyA 76553BA9 5 Bytes JMP 00050014
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegOpenKeyA 765589C7 5 Bytes JMP 00050FEF
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegCreateKeyW 7656391E 5 Bytes JMP 00050F83
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegCreateKeyExW 765641F1 5 Bytes JMP 00050039
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegOpenKeyExA 76567C42 5 Bytes JMP 00050FB9
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegOpenKeyW 7656E2B5 5 Bytes JMP 00050FD4
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] ADVAPI32.dll!RegOpenKeyExW 76577BA1 5 Bytes JMP 00050FA8
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!_wsystem 76307F2F 5 Bytes JMP 00130073
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!system 7630804B 5 Bytes JMP 00130062
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!_creat 7630BBE1 5 Bytes JMP 00130022
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!_open 7630D106 5 Bytes JMP 00130000
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!_wcreat 7630D326 5 Bytes JMP 0013003D
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] msvcrt.dll!_wopen 7630D501 5 Bytes JMP 00130011
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] WS2_32.dll!socket 766836D1 5 Bytes JMP 007E0000
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] WININET.dll!InternetOpenA 75F9D690 5 Bytes JMP 01B60000
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] WININET.dll!InternetOpenW 75F9DB09 5 Bytes JMP 01B60FE5
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] WININET.dll!InternetOpenUrlA 75F9F3A4 5 Bytes JMP 01B6001B
.text C:\Program Files\Windows Media Player\wmplayer.exe[3884] WININET.dll!InternetOpenUrlW 75FE6DDF 5 Bytes JMP 01B60FCA

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 19 May 2010 - 04:29 AM

Hi,

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized




  1. Please download MBR.exe and save it to your root directory (usually C:\).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -t
  3. Press enter.
  4. An mbr.log should be created in your root directory. Please post its contents in your next reply.
In your next reply, please include the following:
  • mbr.exe log

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 19 May 2010 - 04:05 PM

Tom - this is the message I get when I try to down load OTL:



"Gateway Anti-Virus Alert


This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: Emold.U (Worm)"

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 21 May 2010 - 11:19 AM

Hi,

OK this file is big Print these instruction out so that you know what you are doing

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 22 May 2010 - 08:24 AM

Tom - I appreciate all your help so far but I am going to re-install windows, can't spend any more time on this. Thanks again.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:02 PM

Posted 23 May 2010 - 12:33 AM

Thanks for letting me know.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users