Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing TDSS.e!rootkit trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 partingsong

partingsong

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 07 July 2011 - 11:53 PM

My computer recently got infected with a FakeAlert trojan. After combing through multiple threads I was able to clean part of it by running rkill and then running Malwarebytes. I then unhid all my previously-hidden files and changed their attributes back to normal. I thought I was golden, but every time I reboot, McAfee finds the TDSS.e!rootkit trojan and claims to delete it. I tried downloading and running Kaspersky's TDSS Killer, but the rootkit is not letting me run it, even when I rename it. Is there anything else I can do? At this point I am tempted to just get my files off the machine and wipe my hard drive.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 01:00 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 July 2011 - 09:17 PM

Security Check log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee VirusScan Enterprise
McAfee Agent
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.2.152.32
Mozilla Firefox (3.6.18)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise SHSTAT.EXE
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````


MiniToolBox log:

MiniToolBox by Farbar
Ran by Anka (administrator) on 08-07-2011 at 20:24:26
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : DBPD0VH1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : cable.rcn.com



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : cable.rcn.com

Description . . . . . . . . . . . : Intel® WiFi Link 5300 AGN

Physical Address. . . . . . . . . : 00-21-6A-04-B3-26

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 208.59.247.45

208.59.247.46

Lease Obtained. . . . . . . . . . : Friday, July 08, 2011 8:22:38 PM

Lease Expires . . . . . . . . . . : Saturday, July 09, 2011 8:22:38 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® 82567LM Gigabit Network Connection

Physical Address. . . . . . . . . : 00-21-70-CE-8C-03

Server: secondary.atw.pa.dns.rcn.net
Address: 208.59.247.45

Name: google.com
Addresses: 74.125.93.105, 74.125.93.103, 74.125.93.99, 74.125.93.147
74.125.93.106, 74.125.93.104



Pinging google.com [74.125.93.103] with 32 bytes of data:



Reply from 74.125.93.103: bytes=32 time=33ms TTL=51

Reply from 74.125.93.103: bytes=32 time=36ms TTL=51



Ping statistics for 74.125.93.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 33ms, Maximum = 36ms, Average = 34ms

Server: secondary.atw.pa.dns.rcn.net
Address: 208.59.247.45

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=240ms TTL=52

Reply from 98.137.149.56: bytes=32 time=90ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 240ms, Average = 165ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 6a 04 b3 26 ...... Intel® WiFi Link 5300 AGN - Packet Scheduler Miniport
0x3 ...00 21 70 ce 8c 03 ...... Intel® 82567LM Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 20
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 20
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 20
255.255.255.255 255.255.255.255 192.168.1.101 3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/08/2011 08:13:07 PM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service WmiApRpl (%2) failed. The
Error code is the first DWORD in Data section.

Error: (07/08/2011 08:13:07 PM) (Source: LoadPerf) (User: )
Description: Unable to update the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (07/08/2011 00:18:38 AM) (Source: McLogEvent) (User: Anka)Anka
Description: The scan found detections. Scan engine version 5400.1158 DAT version 6396.

Error: (07/07/2011 11:59:34 PM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service WmiApRpl (%2) failed. The
Error code is the first DWORD in Data section.

Error: (07/07/2011 11:59:34 PM) (Source: LoadPerf) (User: )
Description: Unable to update the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (07/07/2011 11:47:33 PM) (Source: McLogEvent) (User: )
Description: Task Manager : Service Error : IDS_MID_CONFIG_FAILED (0015)

Error: (07/07/2011 10:59:28 PM) (Source: McLogEvent) (User: Anka)Anka
Description: The scan found detections. Scan engine version 5400.1158 DAT version 6396.

Error: (07/07/2011 10:53:26 PM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service WmiApRpl (%2) failed. The
Error code is the first DWORD in Data section.

Error: (07/07/2011 10:53:26 PM) (Source: LoadPerf) (User: )
Description: Unable to update the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (07/07/2011 10:27:17 PM) (Source: McLogEvent) (User: Anka)Anka
Description: The scan found detections. Scan engine version 5400.1158 DAT version 6396.


System errors:
=============
Error: (07/08/2011 08:09:23 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.102 for the Network Card with network address 00216A04B326 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (07/08/2011 08:08:55 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2011 08:08:55 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2011 08:08:55 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2011 08:08:52 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service terminated with the following error:
%%126

Error: (07/08/2011 00:56:54 AM) (Source: Service Control Manager) (User: )
Description: The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).

Error: (07/08/2011 00:56:53 AM) (Source: Service Control Manager) (User: )
Description: The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/07/2011 11:54:45 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Error: (07/07/2011 11:54:45 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Error: (07/07/2011 11:54:45 PM) (Source: DCOM) (User: NETWORK SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 21%
Total physical RAM: 3571.83 MB
Available physical RAM: 2821.13 MB
Total Pagefile: 5452.97 MB
Available Pagefile: 4737.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 2006.44 MB

======================= Partitions: =======================================

1 Drive c: (OS) (Fixed) (Total:119.11 GB) (Free:1.68 GB) NTFS

================= Users: ==================================================

User accounts for \\DBPD0VH1

-------------------------------------------------------------------------------
Administrator Anka Guest
HelpAssistant SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================


Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/8/2011 8:30:10 PM
mbam-log-2011-07-08 (20-30-10).txt

Scan type: Quick scan
Objects scanned: 177504
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Gmer log:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-08 22:03:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.VAM0
Running: f7rs0891.exe; Driver: C:\DOCUME~1\Anka\LOCALS~1\Temp\fxlyapob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DD90C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DD90D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DD9100]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DD9156]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DD90AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DD9084]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DD9098]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DD90EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DD912C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DD9116]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DD9180]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DD916C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DD9140]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DD9144 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DD915A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DD9170 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DD9130 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DD9088 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DD909C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DD9184 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DD911A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DD90EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DD90C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DD90D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DD9104 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DD90B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text KDCOM.DLL!KdSendPacket BA5A8345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket BA5A834D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket BA5A8353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket BA5A8371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 BA5A838E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A BA5A83A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 BA5A83CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C BA5A83D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 BA5A83EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C BA5A84DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 BA5A84F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD BA5A850D 241 Bytes CALL BA5A846D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 BA5A8F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 BA5A901C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B BA5A9087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
PAGEKD KDCOM.DLL!KdSendPacket + 6F BA5A9221 181 Bytes [83, C4, 18, 33, C0, 85, FF, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7FD9380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F77
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900062
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FAF
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000A4
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F5C
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000BF
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F30
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000DA
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F94
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0090007D
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F41
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F97
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90054
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A9002F
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FA8
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80F86
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FA1
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A80FC6
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FD7
.text C:\WINDOWS\system32\svchost.exe[188] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[188] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[188] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[188] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00930038
.text C:\WINDOWS\system32\svchost.exe[188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\services.exe[1020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\services.exe[1020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\system32\services.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F96
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE008B
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE007A
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0069
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE003D
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00BC
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F74
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F4F
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00E8
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0103
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE004E
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F85
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\services.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00D7
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60076
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60014
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D6005B
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D6004A
.text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6002F
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F95
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FB0
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FD2
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FC1
.text C:\WINDOWS\system32\services.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1000C
.text C:\WINDOWS\system32\services.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[1032] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[1032] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\lsass.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE004A
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F4B
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F72
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F83
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0014
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F13
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE005B
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F02
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0091
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00B6
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F3A
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\lsass.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0080
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA007D
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0025
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0062
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0051
.text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F9003F
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F9002E
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F9000C
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F9001D
.text C:\WINDOWS\system32\lsass.exe[1032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FD2
.text C:\WINDOWS\system32\lsass.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F69
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE005E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F90
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FA1
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0039
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0091
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0080
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F02
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F13
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00B6
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE006F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F24
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02430FB9
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02430F68
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0243000A
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02430FD4
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02430025
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02430FEF
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02430F8D
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 8A]
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02430FA8
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02420F99
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 0242002E
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0242001D
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0242000C
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02420FBE
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02420FE3
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C90FCD
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80065
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F7A
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F8B
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80093
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80076
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800B8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F15
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800D3
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F4B
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F26
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0011
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0F9B
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC004E
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC003D
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0022
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0F78
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0F89
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB0FB5
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FE3
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0F9A
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0FC6
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01AE0FE5
.text C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01AE0000
.text C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01AE0FCA
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01680FE5
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01680F61
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01680F7C
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01680F8D
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0168004A
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01680FA8
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0168008C
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0168007B
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016800B8
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01680F29
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01680F04
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01680039
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01680FD4
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01680F50
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01680FB9
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0168000A
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016800A7
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F30047
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F30F94
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F30036
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F30011
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F30FAF
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F30000
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02F30FC0
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 8B]
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F30FE5
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F20FA8
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F20FB9
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F20FEF
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F2000C
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F20FD4
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F2001D
.text C:\WINDOWS\System32\svchost.exe[1348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02D40FEF
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 02D50FE5
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 02D50000
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 02D5001B
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 02D50038
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F70
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F8D
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20036
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C200A0
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F4E
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200BB
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C20F22
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F07
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FAF
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F5F
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F3D
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FB2
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60F97
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FCD
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FDE
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C6004A
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60039
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C6001E
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50042
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50027
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C5000C
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C50FB7
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50FD2
.text C:\WINDOWS\system32\svchost.exe[1556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01A40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01A40025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A4000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A30093
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A30F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A30FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A30FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A3004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A30F61
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A30F72
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A300E6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A300D5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A30F3C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A30FC7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A30011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A30F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A3003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A3002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A300C4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A20040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A20062
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A20025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A20FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A20FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A20000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01A20051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A20FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A1004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A1003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A10FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A10000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A10FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A10FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A00000
.text C:\WINDOWS\system32\svchost.exe[2456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[2456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[2456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F26
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F68
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F0B
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0053
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0ECE
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0EDF
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC008C
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[2456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0EFA
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB002F
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0F90
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FA1
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FBC
.text C:\WINDOWS\system32\svchost.exe[2456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01090FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01090FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01090FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01080047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01080036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01080F5C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01080F79
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01080FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0108007F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0108006E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010800D0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010800BF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010800E1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01080F37
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0108001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0108000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010800A4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0107006C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0107001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0107005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01070040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060050
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!system 77C293C7 5 Bytes JMP 0106003F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0106001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0106002E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0106000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01050000
.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04AD0000
.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04AD0FD4
.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04AD0FE5
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04AC0FEF
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04AC009A
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04AC007F
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04AC006E
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04AC0FA5
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04AC0036
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04AC0F79
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04AC0F8A
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04AC0F32
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04AC0F4D
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04AC00F0
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04AC0051
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04AC000A
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04AC00B5
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04AC001B
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04AC0FD4
.text C:\WINDOWS\Explorer.EXE[3340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04AC0F5E
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04AB0FCA
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04AB0047
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04AB0FE5
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04AB001B
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04AB002C
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04AB0000
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04AB0F8A
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 8C]
.text C:\WINDOWS\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04AB0FAF
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04AA0F8B
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!system 77C293C7 5 Bytes JMP 04AA0FA6
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04AA000C
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04AA0FE3
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04AA0FB7
.text C:\WINDOWS\Explorer.EXE[3340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04AA0FD2
.text C:\WINDOWS\Explorer.EXE[3340] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 04A60FEF
.text C:\WINDOWS\Explorer.EXE[3340] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 04A60000
.text C:\WINDOWS\Explorer.EXE[3340] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 04A60031
.text C:\WINDOWS\Explorer.EXE[3340] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 04A60042
.text C:\WINDOWS\Explorer.EXE[3340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04A50FEF
.text C:\WINDOWS\System32\svchost.exe[5456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\System32\svchost.exe[5456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090011
.text C:\WINDOWS\System32\svchost.exe[5456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FDB
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0078
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0051
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0093
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F29
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00DD
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F68
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0036
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[5456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00B8
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F83
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A002C
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FAF
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[5456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0F9C
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0031
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FD2
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FEF
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0FC1
.text C:\WINDOWS\System32\svchost.exe[5456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F000C
.text C:\WINDOWS\System32\svchost.exe[5456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\system32\wuauclt.exe[5784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090014
.text C:\WINDOWS\system32\wuauclt.exe[5784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FDE
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C005B
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C004A
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F72
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0014
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00A4
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0087
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00BF
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F26
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F0B
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C002F
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0076
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[5784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F41
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B004C
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B003B
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC1
.text C:\WINDOWS\system32\wuauclt.exe[5784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0047
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0073
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0036
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C001B
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FB6
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0058
.text C:\WINDOWS\system32\wuauclt.exe[5784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FD1

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSendPacket] [BA5A8631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD0Transition] [BA5A85DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD3Transition] [BA5A85E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdReceivePacket] [BA5A860D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize0] [BA5A85F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSave] [BA5A8625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize1] [BA5A85FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[2188] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040AB80] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[2188] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040ABE0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A6D5BD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.15 ----

Thread System [4:148] 8AB2C0B3
Thread System [4:156] 8AB2C923
Thread System [4:160] 8AB2D7FB

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----


Thanks!

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 09:57 PM

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 July 2011 - 10:11 PM

I can't run TDSSKiller. I doubleclick and nothing happens.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 10:16 PM

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 July 2011 - 10:44 PM

I get the following message: "Pre-boot operation failed, unable to continue".

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 10:49 PM

At what point are you getting that message?
Did you disable system restore before running the tool?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 July 2011 - 10:52 PM

I think McAfee is interfering with FixTDSS. I looked in the Access Protection Log and it says "Prevent Modification of McAfee Common Management Agent files and settings. Action blocked: Write". Should I disable McAfee?

Yes, I did disable System Restore.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 10:56 PM

Please disable McAfee.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 July 2011 - 10:59 PM

I disabled McAfee. When I click on FixTDSS I get the license agreement. I click "Accept", and then I'm given the option to proceed. I click "Proceed", and that's when the "Pre-boot operation failed" message appears.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 08 July 2011 - 11:04 PM

I'll have to send you "upstairs" for more sophisticated tools not allowed in this forum.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 09 July 2011 - 08:55 AM

This may be a silly question, but I'm not sure how I should do a backup of my computer. I would think that anything in "My Documents" is uncompromised, so copying everything in that folder to my external drive should be fine and in any case that is the data that I'm most concerned about. However, according to the directions on the malware forum, I should back up the entire harddrive, i.e. create an image of everything. Wouldn't that include the infected parts? I don't know much about rootkits, but do they mainly affect the registry? Is this copied when creating a harddrive image? I just don't want to unwittingly transfer the problem. So, in a nutshell, how and what should I backup? Thanks.

#14 partingsong

partingsong
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 09 July 2011 - 08:58 AM

I meant "clone" of the harddrive, not "image".

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:23 AM

Posted 09 July 2011 - 11:30 AM

Yes, in case of an infection, creating an image is not a good idea for the very reason you mentioned.
Simply backup your important data, whatever you don't want to lose.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users