Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fraud.Sysguard & ElitumEliteBar


  • This topic is locked This topic is locked
3 replies to this topic

#1 ken_m

ken_m

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn
  • Local time:06:44 AM

Posted 04 June 2010 - 07:10 PM

Running Win XP SP3.

Discovered FF 3.5.9/3.6.3 and IE6 both hijacked. Bookmarks seem to work. Can statrt a Google search, but links end up going to "bargain" shopping sites or the like.

Bleeping Computer recommended to me.

So far (haven't checked since last safe mode effort) Superantispyware 4.38.1004 (in normal and safe mode) says it finds tracking cookies - I delete them.

Malwarebytes 1.46 (both modes) finds threats - I delete them

Spybot Search and Destroy 1.62 (both odes) lkeeps findiung 86 instances of FF bookmarks affected by Elitum.EliteBar and a single key re Fraud.Sysuard - I have them removed.

Problem comes back.

I've disabled System Restore points.

Here's the DDS.txt and attach.zip attached:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ken at 15:41:25.16 on Fri 06/04/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.292 [GMT -4:00]

AV: Total Protection for Small Business *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\UpdDlg.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myINX.exe
C:\Documents and Settings\Ken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.5.19.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100519033331.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -au

BC AdBot (Login to Remove)

 


#2 ken_m

ken_m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn
  • Local time:06:44 AM

Posted 04 June 2010 - 07:19 PM

Sorry again.

My Post seems to be missing the "ark.txt," hijack thisamd malwarebytes logs:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 19:54:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ken\LOCALS~1\Temp\awldypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA9D4620]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA4DB178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA4DB1738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA4DB174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA4DB17CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA4DB1710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA4DB1724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA4DB179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA4DB1776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA4DB1762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA4DB17F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA4DB17E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA4DB17B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP A4DB17B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP A4DB178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP A4DB1766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP A4DB1714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP A4DB17A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP A4DB17E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP A4DB17CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP A4DB1750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP A4DB17FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP A4DB1728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP A4DB173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP A4DB177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F6C
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F7D
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0057
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F9A
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0FBC
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0083
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0072
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA009E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0F05
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00B9
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FAB
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0FDE
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F47
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FCD
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA001E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F20
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FB7
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FC8
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8001D
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D8000C
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D8002E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FE3
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90014
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F94
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90FC3
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D9005B
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90040
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D9002F
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D7000A
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D70FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D70027
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01280F66
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0128005B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01280F77
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01280040
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01280F24
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01280076
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01280F13
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012800A2
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01280EF8
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01280FB9
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0128000A
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01280F4B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01280FCA
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0128001B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01280087
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01270FA8
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01270F50
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01270FB9
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01270FDE
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01270F6B
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01270F7C
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [47, 89]
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01270F8D
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01260038
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 01260FB7
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01260FD2
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0126000C
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01260027
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FBE
.text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010300CE
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010300A9
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030098
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0103007D
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0103005B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F7C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F97
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030F50
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010300E9
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F35
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0103006C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030FBE
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030040
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0103001B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F6B
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FB9
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F8D
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020FD4
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020F9E
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01020040
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0102002F
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010FB7
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010042
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FD2
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010FE3
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010027
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0101000C
.text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60087
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F92
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60FA3
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60062
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FC0
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F6B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600B3
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600FA
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600E9
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60115
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A2
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600D8
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F72
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D5002F
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50F97
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F95
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FA6
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FB7
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D3004C
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0F8D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0082
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB005B
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB00DF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB00C4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0126
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0101
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0137
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0040
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB009D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00F0
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA005B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0040
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0A, 89]
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90044
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90018
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90029
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B40FE5
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B40F5E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B4005D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B40040
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B4002F
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B40F9E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B40F43
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B40095
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B400C1
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B400B0
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B400DC
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B40F8D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B40FD4
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B4006E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B40014
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B40FC3
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B40F32
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C0FDB
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0076
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0036
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0025
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0051
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0000
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027C0FAF
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 8A]
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C0FC0
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01DB000A
.text C:\WINDOWS\System32\svchost.exe[1148] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0FAB
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B0FBC
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0011
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B002C
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B0000
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 027A0FE5
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 027A000A
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 027A001B
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 027A0FC8
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02790000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F7E
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F8F
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0069
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0FB6
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0098
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F5C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F10
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00A9
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00CE
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0058
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F6D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F35
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800022
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FDB
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00800FA5
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A0, 88]
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800FB6
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0FA3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FBE
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0038
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FB9
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0FA8
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007900A6
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0079008B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0079007A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790069
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FDB
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F7E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F8F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790117
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007900FC
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790F63
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790058
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790FA0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007900E1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780FA1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FB2
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00780FC3
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0077002E
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FA3
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FBE
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00760051
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F7C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800067
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F8D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F50
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800098
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000CE
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F35
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000E9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800F61
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FB9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008000BD
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FD1
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0062
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0022
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0F9B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F003D
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FB6
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0053
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FBE
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E002E
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FCF
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E001D
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0000
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F48
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F63
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F8A
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0F9B
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0033
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC006E
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F1C
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0EF0
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0093
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC0EDF
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FAC
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0011
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F37
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FD1
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0022
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0F0B
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB005B
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB004A
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F9E
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0025
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90F9C
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FB7
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C9001D
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90000
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FC8
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FE3
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00C8001B
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00C80000
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00C80FD9
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00C8002C
.text C:\WINDOWS\Explorer.EXE[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FC000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FA000C
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008000A1
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800090
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800FB6
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800FD1
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000D9
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800F91
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000FE
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F6F
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800F4A
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800073
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008000BC
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F80
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0040
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0091
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0025
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F006C
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 88]
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0051
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FA8
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0033
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0022
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001C0022
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001C0FCF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\CAC1AJWL.jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\1[3] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\269230[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\2703[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\4886[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\showInteraction[2].js 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\1128311074@Top1[1] 0 bytes

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 19:54:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ken\LOCALS~1\Temp\awldypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA9D4620]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA4DB178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA4DB1738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA4DB174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA4DB17CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA4DB1710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA4DB1724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA4DB179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA4DB1776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA4DB1762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA4DB17F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA4DB17E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA4DB17B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP A4DB17B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP A4DB178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP A4DB1766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP A4DB1714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP A4DB17A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP A4DB17E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP A4DB17CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP A4DB1750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP A4DB17FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP A4DB1728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP A4DB173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP A4DB177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F6C
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F7D
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0057
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F9A
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0FBC
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0083
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0072
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA009E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0F05
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00B9
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FAB
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0FDE
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F47
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FCD
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA001E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F20
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FB7
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FC8
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8001D
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D8000C
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D8002E
.text C:\Program Files\Messenger\MSMSGS.EXE[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FE3
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90014
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F94
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90FC3
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D9005B
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90040
.text C:\Program Files\Messenger\MSMSGS.EXE[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D9002F
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D7000A
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D70FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D70027
.text C:\Program Files\Messenger\MSMSGS.EXE[500] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01280F66
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0128005B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01280F77
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01280040
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01280F24
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01280076
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01280F13
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012800A2
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01280EF8
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01280FB9
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0128000A
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01280F4B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01280FCA
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0128001B
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01280087
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01270FA8
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01270F50
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01270FB9
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01270FDE
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01270F6B
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01270F7C
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [47, 89]
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01270F8D
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01260038
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 01260FB7
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01260FD2
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0126000C
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01260027
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FBE
.text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010300CE
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010300A9
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030098
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0103007D
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0103005B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F7C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F97
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030F50
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010300E9
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F35
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0103006C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030FBE
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030040
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0103001B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F6B
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FB9
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F8D
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020FD4
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020F9E
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01020040
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0102002F
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010FB7
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010042
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FD2
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010FE3
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010027
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0101000C
.text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60087
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F92
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60FA3
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60062
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FC0
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F6B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600B3
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600FA
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600E9
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60115
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A2
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600D8
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F72
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D5002F
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50F97
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F95
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FA6
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FB7
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\svchost.exe[956] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D3004C
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0F8D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0082
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB005B
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB00DF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB00C4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0126
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0101
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0137
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0040
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB009D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00F0
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA005B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0040
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0A, 89]
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90044
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90018
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90029
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1012] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B40FE5
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B40F5E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B4005D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B40040
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B4002F
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B40F9E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B40F43
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B40095
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B400C1
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B400B0
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B400DC
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B40F8D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B40FD4
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B4006E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B40014
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B40FC3
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B40F32
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C0FDB
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0076
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0036
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0025
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0051
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0000
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027C0FAF
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 8A]
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C0FC0
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01DB000A
.text C:\WINDOWS\System32\svchost.exe[1148] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0FAB
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B0FBC
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0011
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B002C
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B0000
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 027A0FE5
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 027A000A
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 027A001B
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 027A0FC8
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02790000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F7E
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F8F
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0069
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0FB6
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0098
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F5C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F10
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00A9
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00CE
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0058
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F6D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F35
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800022
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FDB
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00800FA5
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A0, 88]
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800FB6
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0FA3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FBE
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0038
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FB9
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0FA8
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007900A6
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0079008B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0079007A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790069
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FDB
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F7E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F8F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790117
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007900FC
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790F63
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790058
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790FA0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007900E1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780FA1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FB2
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00780FC3
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0077002E
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FA3
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FBE
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00760051
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F7C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800067
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F8D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F50
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800098
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000CE
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F35
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000E9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800F61
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FB9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008000BD
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FD1
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0062
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0022
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0F9B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F003D
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FB6
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0053
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FBE
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E002E
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FCF
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E001D
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0000
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F48
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F63
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F8A
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0F9B
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0033
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC006E
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F1C
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0EF0
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0093
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC0EDF
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FAC
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0011
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F37
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FD1
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0022
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0F0B
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB005B
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB004A
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F9E
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0025
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90F9C
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FB7
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C9001D
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90000
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FC8
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FE3
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00C8001B
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00C80000
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00C80FD9
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00C8002C
.text C:\WINDOWS\Explorer.EXE[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FC000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FA000C
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008000A1
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800090
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800FB6
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800FD1
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000D9
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800F91
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000FE
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F6F
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800F4A
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800073
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008000BC
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[2356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F80
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0040
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0091
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0025
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F006C
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 88]
.text C:\WINDOWS\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0051
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FA8
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0033
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0022
.text C:\WINDOWS\system32\svchost.exe[2356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001C0022
.text C:\WINDOWS\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001C0FCF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\CAC1AJWL.jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\1[3] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\269230[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\2703[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\4886[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\showInteraction[2].js 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BP401FJP\1128311074@Top1[1] 0 bytes

---- EOF - GMER 1.0.15 ----




#3 ken_m

ken_m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn
  • Local time:06:44 AM

Posted 06 June 2010 - 03:45 PM

thumbup2.gif I believe I beat this on my own, running Spybot S&D 1.62, Malwarebytes 1.46, AdAware 2008, Superantispyware 4.38.1004, in safe mode and lastly, at urging over at TMF, Combofix in normal.

That seemed to kill Fraud.Sysguard, but Spybot kept "cleaning," but not really, 86 references to "searchmiracle" Firefox bookmarks read as part of Elitum.EliteBar.

However, one net find recommendation was "Organize Bookmarks" in Firefox, then do a search there for "searchmiracle" and just delete the bookmarks there.

Looking good.

Thanks anyway.

Ken

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:44 AM

Posted 06 June 2010 - 04:05 PM

Thanks for letting us know. smile.gif

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users