Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

directdr redirect & Generic Host Process for Win32 Services error


  • This topic is locked This topic is locked
17 replies to this topic

#1 chuckmoose

chuckmoose

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 May 2010 - 07:36 PM

Adding in additional content from another topic. ~ OB

Sometimes when starting IE or Firefox, a new window pops up and goes to directdr.com and then some other site. I saw others in online forums with this problem and so I followed the directions given to one of them (http://www.geekstogo.com/forum/Google-Redirect-ppcblinks-com-directdr-etc-t260247.html). First it said to use ComboFix. When I tried to use it, I get the blue window that says "Scanning for infected files . . . This typically doesn't take more than 10 minutes However, scan times for badly infected machines may easily double." Then my computer resets, with no log file created. I went ahead and used TFC and Malwarebytes' Anti-Malware, but I still have the redirecting issues. I also tried to use the Kaspersky antivirus scan, but after about 5 hours it froze. Thanks for any help you can give.

End of added content. ~ OB

Sometimes when starting or using IE or Firefox, a new window will open and goes to directdr.com and then to some other site. Also, I often get an error "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." I then cannot shut down or restart my computer without pushing the power button. I have run defrogger, dds, and gmer and have attached the dds and gmer logs. Thanks for the help.

Attached Files


Edited by Orange Blossom, 25 May 2010 - 08:05 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 26 May 2010 - 06:51 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Right click and delete Combofix from your desktop!

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE
TDL::
C:\WINNT\system32\drivers\WudfPf.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Re- run Gmer and post a log

==========

With your next post please provide:

* Combofix.txt
* Gmer log
* How is your computer running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 27 May 2010 - 12:06 AM

I followed your directions for Combofix, but a log was not generated. Instead, my computer restarted. Should I proceed with rerunning GMER? Thanks for the help.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 27 May 2010 - 06:10 AM

Hello,

Yes please run Gmer then navigate to...

QUOTE
C:\Qoobox\ComboFix-quarantined-files.txt

and......

QUOTE
C:\qoobox\ComboFix*txt

* = the numerical run


And post all the logs contained here if available

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 27 May 2010 - 07:40 PM

I ran GMER and had to zip the log to make the attachment small enough. I looked in the Qoobox directory and was not able to find any logs.

After running GMER, I lost the use of my mouse, and after saving the log, I lost use of my keyboard for a minute or so. Even after I regained control of my keyboard, I was unable to do anything, so I had to restart it using the power button. In the meantime, I am still getting the "Generic Host Process" error and browser redirects since running Combofix.

Thanks for the help

Attached Files

  • Attached File  ark.zip   17.44KB   1 downloads

Edited by chuckmoose, 28 May 2010 - 12:44 AM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 28 May 2010 - 04:13 PM

Hey. Your doing great! Hang in there. It is a tough one. wacko.gif

Try this....
1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

Are you still redirected?

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 29 May 2010 - 07:39 PM

I have attached the report. I have not had any occurrences of the browser redirects or the generic host process error since running TDSSKiller.

Thanks for the help

Attached Files



#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 30 May 2010 - 10:18 AM

Hurray!! thumbup2.gif

Please do this...

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

With your next post please provide:

* MBAM log
* ESET log
* What problems remain?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 31 May 2010 - 12:57 AM

I have attached the MBAM log. ESET did not find anything and did not produce a log. I am not having any problems any more.

Thanks for the help.

Attached Files



#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 31 May 2010 - 08:15 AM

Hello,

Congratulations! You now appear clean!

**********

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

Are things running okay? Do you have any more questions?

**********

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    :Commands
    [CLEARALLRESTOREPOINTS]
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .


**********

Run OTL again

We will now remove the tools we used during this fix using OTL.
  • Double click the OTL icon to start the program.
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

You may delete all other tools that we used in the clean up effort now

**********

Recommendations


Below are some recommendations to lower your chances of (re)infection.

  1. Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  2. Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  3. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.


    Windows XP


    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  4. Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.

  5. Consider Firefox as your primary browser. Its safer, fast and secure!

  6. Install WOT. Never inadvertently surf to a dangerous website again.

  7. Consider running your browser Sandboxed with Sandboxie. You decide what actually get's into your OS!!

  8. Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  9. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

**********

System Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

Good luck & safe surfing,
Kind Regards,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 31 May 2010 - 04:20 PM

I uninstalled Combofix. I never used OTL during this process. I went ahead and downloaded it anyway, but when I tried to open it, it crashed.

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 31 May 2010 - 04:30 PM

Yikes. Oops. Sorry about that!

Where did you download it from?

Go ahead and right click and delete OTL from your desktop. Let me have you produce a log for my persual. As long as all is well then you should be in great shape. Is your computer still running alright?


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.


    Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All

  4. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  5. Push
  6. A report will open. Copy and Paste that report in your next reply.
  7. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

With your next post please provide:

* OTL.txt
* Extra.txt
* Still running alright?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 31 May 2010 - 05:13 PM

I got the link for OTL from another thread, but I deleted that one and downloaded it from the link you gave me. However, again when I tried to run it, I got the following error: OTL has encountered a problem and needs to close. We are sorry for the inconvenience.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 01 June 2010 - 07:51 AM

Hmmm.

Right click and delete the copy again. Try this link with the insructions I outlined earlier.
http://oldtimer.geekstogo.com/OTL.com

If that fails then please do this......

Right click and delete DDS from your desktop if it is still there...

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

Right click and delete Gmer from your desktop if it is still there...

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Still running alright????


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 chuckmoose

chuckmoose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 02 June 2010 - 04:08 PM

I tried OTL again but it did not work. I ran DDS again and attached the logs. I have pasted the results from GMER below. My computer has been running fine. Thanks for the help.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 15:38:30
Windows 5.1.2600 Service Pack 3
Running: octq8hes.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxldapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF50AA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF50AA821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF50AA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF50AA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF50AA835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF50AA861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF50AA8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF50AA8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF50AA7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF50AA8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF50AA80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF50AA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF50AA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF50AA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF50AA937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF50AA8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF50AA88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF50AA84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF50AA923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF50AA90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF50AA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF50AA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF50AA877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF50AA7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF50AA8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF50AA7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF50AA7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP F50AA7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP F50AA811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP F50AA891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP F50AA78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP F50AA766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP F50AA825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP F50AA93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP F50AA8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP F50AA714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP F50AA7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP F50AA87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP F50AA7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP F50AA7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP F50AA750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP F50AA7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP F50AA8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP F50AA728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP F50AA8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP F50AA865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP F50AA839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP F50AA73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP F50AA77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP F50AA8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP F50AA8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP F50AA84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP F50AA913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP F50AA927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINNT\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7986360, 0x24BB1D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINNT\system32\services.exe[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070058
.text C:\WINNT\system32\services.exe[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070047
.text C:\WINNT\system32\services.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F63
.text C:\WINNT\system32\services.exe[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007002C
.text C:\WINNT\system32\services.exe[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007001B
.text C:\WINNT\system32\services.exe[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070097
.text C:\WINNT\system32\services.exe[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007007A
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F2A
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700C3
.text C:\WINNT\system32\services.exe[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F0F
.text C:\WINNT\system32\services.exe[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F8A
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070069
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007000A
.text C:\WINNT\system32\services.exe[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FB9
.text C:\WINNT\system32\services.exe[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700A8
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FC0
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FA5
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060011
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FE5
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060062
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060047
.text C:\WINNT\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060036
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F97
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005002C
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005001B
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC6
.text C:\WINNT\system32\services.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINNT\system32\services.exe[552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD009F
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0FAA
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0084
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0073
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0051
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00C1
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F85
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00FE
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00ED
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD010F
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0062
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00B0
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FE5
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINNT\system32\lsass.exe[564] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00DC
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002F
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC005B
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC000A
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FA8
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FB9
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINNT\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0040
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0058
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FC3
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FDE
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0033
.text C:\WINNT\system32\lsass.exe[564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FEF
.text C:\WINNT\system32\lsass.exe[564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024A000A
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024A0065
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024A0F70
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024A004A
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024A0F8D
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024A0FB9
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024A0F2E
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024A0F49
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024A00C7
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024A00AC
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024A0F09
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024A0FA8
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024A0025
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024A0076
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024A0FDE
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024A0FEF
.text C:\WINNT\system32\svchost.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024A0091
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02490040
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02490076
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02490FEF
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02490025
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02490FB9
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02490000
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02490FD4
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [69, 8A]
.text C:\WINNT\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0249005B
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0067
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FD2
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF002E
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FE3
.text C:\WINNT\system32\svchost.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text C:\WINNT\system32\svchost.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E2000A
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E200B2
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E200A1
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20090
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20073
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E20051
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20F8C
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E200D4
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E2010A
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F67
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E2011B
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20062
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20FEF
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E200C3
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E20040
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E2001B
.text C:\WINNT\system32\svchost.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E200EF
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E1002C
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10FC0
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FE5
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E1001B
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E1007D
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E1000A
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E10058
.text C:\WINNT\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10047
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F9A
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FAB
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00011
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FC6
.text C:\WINNT\system32\svchost.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FE3
.text C:\WINNT\system32\svchost.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FE5
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F40FE5
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F40F54
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F40049
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F40F6F
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F4002C
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F4001B
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F40090
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F40075
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F40F08
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F40F23
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02F400B2
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02F40F8A
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02F40FCA
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02F40064
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02F40FAF
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02F40000
.text C:\WINNT\System32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02F400A1
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F30025
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F30FAF
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F30FD4
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F3000A
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F3006C
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F30FEF
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02F30047
.text C:\WINNT\System32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F30036
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F20058
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F20FCD
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F20022
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F20000
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F2003D
.text C:\WINNT\System32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F20011
.text C:\WINNT\System32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02ED0FEF
.text C:\WINNT\System32\svchost.exe[856] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02EC0FEF
.text C:\WINNT\System32\svchost.exe[856] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02EC000A
.text C:\WINNT\System32\svchost.exe[856] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02EC0FDE
.text C:\WINNT\System32\svchost.exe[856] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02EC0FC3
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00390FEF
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00390082
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00390071
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00390F97
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00390054
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00390FC3
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0039009D
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00390F61
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003900D3
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00390F3A
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00390F1F
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00390FB2
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00390FDE
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00390F7C
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00390025
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00390014
.text C:\WINNT\system32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003900AE
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380040
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380F9E
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0038002F
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FEF
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00380FB9
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0038000A
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00380FCA
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [58, 88]
.text C:\WINNT\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380051
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FAD
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FBE
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0037001D
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370038
.text C:\WINNT\system32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FE3
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F000A
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F005D
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0F68
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F004C
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0F8D
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0FAF
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F0F46
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F0F57
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F0F17
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F00B0
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0F06
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F0F9E
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FEF
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0082
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FD4
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0025
.text C:\WINNT\System32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F009F
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0FB9
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E0F83
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FCA
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0000
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E0F94
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009E0036
.text C:\WINNT\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0025
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0027
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D0F9C
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FD2
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0FEF
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FAD
.text C:\WINNT\System32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D0000
.text C:\WINNT\System32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C000A
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F77
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C8006C
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C8005B
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8004A
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C8002F
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80098
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F50
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F10
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F21
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C80EFF
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80F9E
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8000A
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C8007D
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FC3
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FDE
.text C:\WINNT\system32\svchost.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C800A9
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C7001B
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F80
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7000A
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FD4
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70F9B
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C7003D
.text C:\WINNT\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C7002C
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60F9E
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60033
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD7
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60022
.text C:\WINNT\system32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60011
.text C:\WINNT\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F6B
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F86
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0060
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0F97
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0FA8
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC008C
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC007B
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC00AE
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC009D
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC00BF
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0039
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0FDE
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F50
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FC3
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0014
.text C:\WINNT\System32\svchost.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0F1F
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FAF
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB003D
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FC0
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0000
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0F80
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FEF
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CB002C
.text C:\WINNT\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB001B
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0062
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0047
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0011
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FE3
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA002C
.text C:\WINNT\System32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0000
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 017D0000
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 017D007F
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 017D006E
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 017D0F94
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 017D0051
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 017D0FAF
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017D00A6
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017D0F5E
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017D0F3C
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017D00CB
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017D00E6
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 017D0036
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 017D0011
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017D0F6F
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 017D0FC0
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 017D0FDB
.text C:\WINNT\Explorer.EXE[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017D0F4D
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01550FD4
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0155005B
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0155001B
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01550FE5
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01550F9E
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01550000
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0155004A
.text C:\WINNT\Explorer.EXE[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01550FC3
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00FAB
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FBC
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0002C
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FD7
.text C:\WINNT\Explorer.EXE[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00011
.text C:\WINNT\Explorer.EXE[1292] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0FE5
.text C:\WINNT\Explorer.EXE[1292] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA000A
.text C:\WINNT\Explorer.EXE[1292] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA001B
.text C:\WINNT\Explorer.EXE[1292] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DA0FD4
.text C:\WINNT\Explorer.EXE[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF000A
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C9008E
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F8F
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90069
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90058
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FC0
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F46
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F61
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900BA
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900A9
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900CB
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90047
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDB
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F7E
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C9002C
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
.text C:\WINNT\System32\svchost.exe[1932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F2B
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003A0025
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003A0F97
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003A0FD4
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003A0000
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003A0FA8
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003A0FEF
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 003A0040
.text C:\WINNT\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003A0FB9
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390064
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 0039003F
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0039001D
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390FEF
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0039002E
.text C:\WINNT\System32\svchost.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0039000C
.text C:\WINNT\System32\svchost.exe[1932] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00370FE5
.text C:\WINNT\System32\svchost.exe[1932] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00370FD4
.text C:\WINNT\System32\svchost.exe[1932] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00370FB9
.text C:\WINNT\System32\svchost.exe[1932] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00370FA8
.text C:\WINNT\System32\svchost.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00380000
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0078
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F83
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0036
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B0
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F68
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00CB
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F32
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F17
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F94
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0093
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINNT\System32\svchost.exe[3976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F43
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003A0FD4
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003A0F72
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003A0025
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003A000A
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003A0F8D
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003A0FEF
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 003A0FA8
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5A, 88]
.text C:\WINNT\System32\svchost.exe[3976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003A0FB9
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 004F0F88
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!system 77C293C7 5 Bytes JMP 004F0FA3
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 004F0FE3
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 004F0000
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 004F0FC8
.text C:\WINNT\System32\svchost.exe[3976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 004F0011
.text C:\WINNT\System32\svchost.exe[3976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00230FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [017F2F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [017F2CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [017F2D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [017F2CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1292] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\system32\wscntfy.exe[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008B2F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\system32\wscntfy.exe[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008B2CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\system32\wscntfy.exe[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [008B2D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINNT\system32\wscntfy.exe[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008B2CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1656] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01942F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1656] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01942CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1656] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [01942D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1656] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01942CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3124] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3124] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3124] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3124] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3688] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [018E2F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3688] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [018E2CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3688] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [018E2D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3688] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [018E2CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\octq8hes.exe[4604] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\octq8hes.exe[4604] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\octq8hes.exe[4604] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\octq8hes.exe[4604] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users