Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus - Proxy Server Changes, No Internet,


  • Please log in to reply
5 replies to this topic

#1 frobergs2

frobergs2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 July 2011 - 06:23 PM

I have been reading these posts for an hour or so now, and let me say you're all brilliant, thank you for all of the information! I'm a little nervous about doing anything too crazy on my own, so figured I'd give you my rundown to see if anyone would be willing to help. I'm halfway computer literate, so I can figure some things out, but bare with me.

Dell XPS, Netgear wireless router, Windows XP

My internet wouldn't connect by main computer, but my iPod would with the wireless router. I figured out that the box was checked on Use a Proxy server for your LAN, so I unchecked it. I also found a couple startup menu items (I frequently check these on sysinfo,org), I found ctfmon,conhost, msmsgs and csrss that should not have been there, and removed them from there. Then I:

1. Ran SuperAntiSpyware
2. Ran McAfee Anti-virus
3. Went to Miscrosoft webiste and ran the Free PC safety scan. This is where it found 4 things, one being Backdoor:Win32/Cycbot.B It removed and I restarted.
4. Also ran Microsoft Malicious Software Removal Tool (found nothing).
5. I then installed Malwarebytes Anti-Malware. A couple of adwares found, and then one that said: PUM.Bad.Proxy in the Registry Value category. It deleted them all.

My question is, what next? What else should I do? At times during this process, I kept re-checking and the Proxy sertver box was re-checked, so something was flipping it back on every time. Also, the msmsgs and ctfmon do not seem to want to remove themselves from the start-up items. After I try to remove them (click apply) it says: an access denied message was returned while attempting to change this service. You may need to log on using an Admin account to make this change. I may be an airhead here, but I'm the only user on the compouter, so not sure how I go about logging in as Administrator.

Thanks for any help in advance!

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:59 PM

Posted 09 July 2011 - 06:49 PM

Can you post the logs?

#3 frobergs2

frobergs2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 July 2011 - 08:55 PM

Unfortunately I just "Ran" instead of "saved" the Microsoft ones (that found the Backdoor one), so I don't have the software on my computer to see log, but here is Malwares...

Malwarebytes' Anti-Malware 1.51.0.1200www.malwarebytes.org

Database version: 7060

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/9/2011 7:15:20 PM
mbam-log-2011-07-09 (19-15-20).txt

Scan type: Quick scan
Objects scanned: 262648
Time elapsed: 28 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:59 PM

Posted 09 July 2011 - 09:42 PM

Can you perform a full scan after download the following tools:

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.

      Scan with SUPERAntiSpyware as follows:[list]
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#5 frobergs2

frobergs2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 July 2011 - 04:27 PM

Thank you SO much for the advice so far. It took a bit, but got it all done. Also, did Security Check and MiniTookBox, will post those logs too (aw a couple advisors suggest doing those for the Backdoor:Win32/Cycbot.B virus. I happened to check my start-ups and those darned ctfmon and msmsgs ones are still hanging in there.

Malware Log
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7060

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/10/2011 5:19:03 AM
mbam-log-2011-07-10 (05-19-03).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 413225
Time elapsed: 2 hour(s), 28 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP969\A0099942.exe (Trojan.Agent) -> Quarantined and deleted successfully.

SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/10/2011 at 06:27 AM

Application Version : 4.55.1000

Core Rules Database Version : 7391
Trace Rules Database Version: 2971

Scan type : Complete Scan
Total Scan Time : 01:02:54

Memory items scanned : 530
Memory threats detected : 0
Registry items scanned : 7754
Registry threats detected : 1
File items scanned : 26884
File threats detected : 59

Adware.Tracking Cookie
C:\Documents and Settings\Darlene\Cookies\darlene@kontera[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@adbrite[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@trafficmp[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@revsci[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@solvemedia[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@doubleclick[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@mediabrandsww[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@atdmt[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ad.yieldmanager[4].txt
C:\Documents and Settings\Darlene\Cookies\darlene@questionmarket[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@apmebf[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@collective-media[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@yieldmanager[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@coxhsi.112.2o7[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ad.wsod[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@atdmt[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@invitemedia[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@content.yieldmanager[5].txt
C:\Documents and Settings\Darlene\Cookies\darlene@mediaplex[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@imrworldwide[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@content.yieldmanager[6].txt
C:\Documents and Settings\Darlene\Cookies\darlene@specificclick[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@pointroll[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@adserver.adtechus[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@doubleclick[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@stats.photodex[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@adinterax[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@revsci[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@revsci[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@in.getclicky[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@interclick[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ad.yieldmanager[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ad.yieldmanager[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@content.yieldmanager[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@insightexpressai[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@atdmt[4].txt
C:\Documents and Settings\Darlene\Cookies\darlene@atdmt[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@content.yieldmanager[4].txt
C:\Documents and Settings\Darlene\Cookies\darlene@content.yieldmanager[3].txt
C:\Documents and Settings\Darlene\Cookies\darlene@statcounter[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ads.cnn[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@statse.webtrendslive[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@media6degrees[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ihg.db.advertising[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@invitemedia[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@trafficmp[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@stat.onestat[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@collective-media[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@advertising[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@advertising[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@kontera[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@zedo[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ads.pointroll[2].txt
C:\Documents and Settings\Darlene\Cookies\darlene@fastclick[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@ads.pointroll[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@adviva[1].txt
C:\Documents and Settings\Darlene\Cookies\darlene@traveladvertising[2].txt

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

Trojan.Agent/Gen-FakeAlert
C:\DOCUMENTS AND SETTINGS\DARLENE\LOCAL SETTINGS\TEMP\31.EXE

Gmer Log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-10 16:52:34
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Maxtor_6 rev.BANC
Running: 16vb12uh.exe; Driver: C:\DOCUME~1\Darlene\LOCALS~1\Temp\pxdyapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB13D2620]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DDA210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DDA224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DDA250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DDA2A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DDA1FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DDA1D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DDA1E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DDA23A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DDA27C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DDA266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DDA2D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DDA2BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DDA290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503FF4 7 Bytes JMP B9DDA294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0A7E 7 Bytes JMP B9DDA2AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B188C 5 Bytes JMP B9DDA2C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805BE9BA 5 Bytes JMP B9DDA280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9D0E 5 Bytes JMP B9DDA1D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C9F9A 5 Bytes JMP B9DDA1EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1238 5 Bytes JMP B9DDA2D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806207EE 7 Bytes JMP B9DDA26A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621B68 7 Bytes JMP B9DDA23E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80622142 5 Bytes JMP B9DDA214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 806225DE 7 Bytes JMP B9DDA228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 806227AE 7 Bytes JMP B9DDA254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806234E4 5 Bytes JMP B9DDA200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CC0014
.text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC0FDE
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C20045
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C20F5A
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C20F6B
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C20028
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C20F97
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20F1A
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C20062
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C2008E
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C20EF5
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C20EDA
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C20F86
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C20F35
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\Explorer.EXE[348] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C20073
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C10051
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegOpenKeyExA 77DD7832 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C10036
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C1001B
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C10000
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C1007D
.text C:\WINDOWS\Explorer.EXE[348] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C1006C
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0022
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0011
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FBC
.text C:\WINDOWS\Explorer.EXE[348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FD7
.text C:\WINDOWS\Explorer.EXE[348] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BD0000
.text C:\WINDOWS\Explorer.EXE[348] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BD0011
.text C:\WINDOWS\Explorer.EXE[348] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BD0022
.text C:\WINDOWS\Explorer.EXE[348] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BD003D
.text C:\WINDOWS\Explorer.EXE[348] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00620FEF
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00620058
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00620047
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00620F79
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00620F94
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0062002C
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00620F10
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00620F2B
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006200A9
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0062008E
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00620EFF
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00620FA5
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00620FCA
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00620F48
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0062001B
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00620000
.text C:\WINDOWS\system32\svchost.exe[428] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0062007D
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00910098
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyExA 77DD7832 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00910087
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00910076
.text C:\WINDOWS\system32\svchost.exe[428] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00910051
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0090003F
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!system 77C293C7 5 Bytes JMP 0090002E
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0090001D
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900FBE
.text C:\WINDOWS\system32\svchost.exe[428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0090000C
.text C:\WINDOWS\system32\svchost.exe[428] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[428] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00640FCA
.text C:\WINDOWS\system32\svchost.exe[428] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[428] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00640FB9
.text C:\WINDOWS\system32\svchost.exe[428] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FCD
.text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007F005F
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007F004E
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007F0F80
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007F0033
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007F0FB6
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007F0F1E
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007F0F39
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007F00A6
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007F0F0D
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007F0EF2
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007F0F9B
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007F0070
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007F0022
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007F008B
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007E0025
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007E0073
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007E0062
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007E0051
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007E0036
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007D0F7C
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 007D0F97
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007D0011
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007D0FBC
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007D0FD7
.text C:\WINDOWS\system32\svchost.exe[700] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C90022
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C80078
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C80F5C
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C800A4
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C80F30
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C800C9
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C800EE
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C80093
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C80F4B
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C70062
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FC8
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60049
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C6002E
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6001D
.text C:\WINDOWS\system32\svchost.exe[804] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[804] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[804] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[804] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[804] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C40FA8
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[928] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[928] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040076
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00040F81
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040040
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000400BF
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000400AE
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000400FF
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000400E4
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 0004011A
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00040087
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00040FC3
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00040F66
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A10062
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A10051
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070049
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070038
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0007000C
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E00014
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BC0087
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BC0076
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BC005B
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BC0F6D
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BC00B5
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BC00E1
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BC0F52
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00BC0F2D
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00BC0098
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00BC00D0
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E30FA8
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E30014
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E30F61
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E30F72
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E30F8D
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E20049
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E2002E
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E20FD2
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E2001D
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E20FE3
.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CE006A
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CE0F7F
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CE0F90
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CE004D
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CE0FBC
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CE0F44
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CE008C
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CE00CC
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CE0F33
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CE0F18
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CE0FAB
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CE007B
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CE0028
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CE0FCD
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CE00B1
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D20084
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D20073
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D20058
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D1006B
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10050
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D1002E
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D1003F
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1001D
.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\wuauclt.exe[1476] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\system32\wuauclt.exe[1476] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\system32\wuauclt.exe[1476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001C0F22
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001C0F33
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001C0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001C0F75
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001C0F97
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001C004F
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001C0F07
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001C0085
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001C0EEC
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001C00AA
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001C0F86
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001C0032
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001C006A
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A002E
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002B0F83
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A0002F
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A00F30
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A00F41
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A00F68
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A0006C
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A0005B
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A000A2
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A00087
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A000B3
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A00F83
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A0004A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A00F09
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A4003D
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A4006C
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A40FAF
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A40FCA
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A40FDB
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30FAB
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FC6
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20000
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01780000
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01780040
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0178001B
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01770000
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01770FA3
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01770FBE
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01770098
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0177007D
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01770062
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01770F77
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 017700BF
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01770110
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 017700F5
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01770F5C
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01770FE5
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0177001B
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01770F88
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01770051
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01770036
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 017700DA
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01800025
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01800FC3
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01800014
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01800FD4
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01800076
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01800FE5
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01800065
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01800040
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 017F0FAF
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!system 77C293C7 5 Bytes JMP 017F0FC0
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 017F0029
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 017F0000
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 017F003A
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 017F0FEF
.text C:\WINDOWS\System32\svchost.exe[1608] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 017A0FEF
.text C:\WINDOWS\System32\svchost.exe[1608] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01790FEF
.text C:\WINDOWS\System32\svchost.exe[1608] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01790FCA
.text C:\WINDOWS\System32\svchost.exe[1608] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01790FB9
.text C:\WINDOWS\System32\svchost.exe[1608] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01790FA8
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630FD1
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00620FEF
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00620F61
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00620056
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00620F7C
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00620039
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00620FA8
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00620085
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00620F33
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00620F11
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006200AA
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00620EF6
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00620F97
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00620F50
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00620FB9
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00620FCA
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00620F22
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0065007D
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00650058
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0064004E
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!system 77C293C7 5 Bytes JMP 0064003D
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD7
.text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00780011
.text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00770F85
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0077007A
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00770069
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00770FAC
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0077003D
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007700B0
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00770095
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00770F43
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007700DC
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00770F28
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0077004E
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00770F6A
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00770022
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00770FDB
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007700CB
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007B0F61
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007B0F7C
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007B0F9E
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0FA1
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0022
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0FB2
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1696] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00790FE5
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00700FCA
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F0FA6
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F009B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F0FB7
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0080
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F005B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F0F70
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0F8B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F00E4
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F0F4B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006F00F5
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 006F00AC
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 006F004A
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 006F002F
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 006F00D3
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00770025
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0077006F
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00770FB2
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0077004A
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720F8B
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00720FA6
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0072000C
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720FEF
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720FB7
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00720FD2
.text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\dllhost.exe[3224] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\dllhost.exe[3224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C3002C
.text C:\WINDOWS\system32\dllhost.exe[3224] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C20F68
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C2005D
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C20F83
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C20F94
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C20036
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20093
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C20F57
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C20F1F
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C200AE
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C20F04
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C20FAF
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C20082
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\dllhost.exe[3224] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C20F3A
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FBE
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C0003F
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C0002E
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FCF
.text C:\WINDOWS\system32\dllhost.exe[3224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C10087
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C1006C
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C10051
.text C:\WINDOWS\system32\dllhost.exe[3224] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\dllhost.exe[3224] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BF0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01B1000A
.text C:\Program Files\Messenger\msmsgs.exe[3312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01B10FDE
.text C:\Program Files\Messenger\msmsgs.exe[3312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01B10FEF
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01B00FEF
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01B00054
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01B00F5F
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01B00F70
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01B00039
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01B0000A
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01B0006F
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01B00F33
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01B00EFB
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01B00F0C
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01B000AF
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01B00F8D
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01B00FD4
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01B00F4E
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01B00F9E
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01B00FB9
.text C:\Program Files\Messenger\msmsgs.exe[3312] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01B00080
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01AE0F92
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!system 77C293C7 5 Bytes JMP 01AE0FAD
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01AE000C
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01AE0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01AE001D
.text C:\Program Files\Messenger\msmsgs.exe[3312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01AE0FD2
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01AF0FBC
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01AF005B
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01AF0FCD
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01AF0FDE
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01AF004A
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01AF0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01AF0039
.text C:\Program Files\Messenger\msmsgs.exe[3312] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01AF0028
.text C:\Program Files\Messenger\msmsgs.exe[3312] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01AD000A
.text C:\Program Files\Messenger\msmsgs.exe[3312] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E50FE5
.text C:\Program Files\Messenger\msmsgs.exe[3312] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E50FCA
.text C:\Program Files\Messenger\msmsgs.exe[3312] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E50FAF
.text C:\Program Files\Messenger\msmsgs.exe[3312] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E50F94

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[1532] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[1532] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ Wireless
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ProcessGroupPolicy ProcessWIRELESSPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ Folder Redirection
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ProcessGroupPolicyEx ProcessGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@DllName fdeploy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoMachinePolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@PerUserLocalSettings 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@EventSources (Folder Redirection,Application)?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ Microsoft Disk Quota
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName dskquota.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ QoS Packet Scheduler
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ProcessGroupPolicy ProcessPSCHEDPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ Scripts
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicy ProcessScriptsGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicyEx ProcessScriptsGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@GenerateGroupPolicy GenerateScriptsGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NotifyLinkTransition 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ Internet Explorer Zonemapping
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ProcessGroupPolicy ProcessGroupPolicyForZoneMap
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSucessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ Internet Explorer User Accelerators
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicy ProcessGroupPolicyForActivities
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessSecurityPolicyGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@GenerateGroupPolicy SceGenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionRsopPlanningDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicyEx SceProcessSecurityPolicyGPOEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ Security
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@EnableAsynchronousProcessing 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@MaxNoGPOListChangesInterval 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicyEx ProcessGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ Internet Explorer Branding
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoMachinePolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3014
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessEFSRecoveryGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ EFS recovery
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ Microsoft Offline Files
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@DllName %SystemRoot%\System32\cscui.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@EnableAsynchronousProcessing 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoMachinePolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoSlowLink 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@PerUserLocalSettings 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ Software Installation
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@DllName appmgmts.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ProcessGroupPolicyEx ProcessGroupPolicyObjectsEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@RequiresSucessfulRegistry 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@PerUserLocalSettings 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@EventSources (Application Management,Application)?(MsiInstaller,Application)?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ Internet Explorer Machine Accelerators
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicy ProcessGroupPolicyForActivities
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ IP Security
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ProcessGroupPolicy ProcessIPSECPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@DLLName C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Logoff G2ALogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Logon G2ALogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Startup G2AStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist@Shutdown G2AShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@HelpAssistant 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@TsInternetUser 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@SQLAgentCmdExec 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@NetShowServices 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IWAM_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IUSR_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@VUSR_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@ASPNET 0

---- EOF - GMER 1.0.15 ----

Security Check Log
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee SecurityCenter
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Mini ToolBox Log
MiniToolBox by Farbar
Ran by Darlene (administrator) on 10-07-2011 at 17:16:38
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : DCPYDQ81
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ri.cox.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : ri.cox.net
Description . . . . . . . . . . . : Intel® PRO/1000 PL Network Connection
Physical Address. . . . . . . . . : 00-12-3F-79-8A-4C
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 68.9.176.189
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 68.9.176.1
DHCP Server . . . . . . . . . . . : 172.19.65.19
DNS Servers . . . . . . . . . . . : 68.105.28.11
68.105.29.11
68.105.28.12
Lease Obtained. . . . . . . . . . : Sunday, July 10, 2011 17:11:32
Lease Expires . . . . . . . . . . : Monday, July 11, 2011 17:11:32
Server: cdns1.cox.net
Address: 68.105.28.11

DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.93.147, 74.125.93.99, 74.125.93.103, 74.125.93.104
74.125.93.105, 74.125.93.106


Pinging google.com [74.125.93.105] with 32 bytes of data:

Reply from 74.125.93.105: bytes=32 time=28ms TTL=53
Reply from 74.125.93.105: bytes=32 time=28ms TTL=53

Ping statistics for 74.125.93.105:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 28ms, Maximum = 28ms, Average = 28ms
Server: cdns1.cox.net
Address: 68.105.28.11

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65


Pinging yahoo.com [67.195.160.76] with 32 bytes of data:

Reply from 67.195.160.76: bytes=32 time=21ms TTL=54
Reply from 67.195.160.76: bytes=32 time=19ms TTL=54

Ping statistics for 67.195.160.76:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 21ms, Average = 20ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 79 8a 4c ...... Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 68.9.176.1 68.9.176.189 20
68.9.176.0 255.255.254.0 68.9.176.189 68.9.176.189 20
68.9.176.189 255.255.255.255 127.0.0.1 127.0.0.1 20
68.255.255.255 255.255.255.255 68.9.176.189 68.9.176.189 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 68.9.176.189 68.9.176.189 20
224.0.0.0 240.0.0.0 68.9.176.189 68.9.176.189 20
255.255.255.255 255.255.255.255 68.9.176.189 68.9.176.189 1
Default Gateway: 68.9.176.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/09/2011 06:22:38 PM) (Source: Application Error) (User: )
Description: Fault bucket -1772326163.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (07/09/2011 06:22:33 PM) (Source: Application Error) (User: )
Description: Faulting application 31.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x0014bb6e.
Processing media-specific event for [31.exe!ws!]

Error: (06/24/2011 01:55:41 PM) (Source: Application Error) (User: )
Description: Faulting application itunes.exe, version 10.2.1.1, faulting module quicktime.qts, version 7.69.80.9, fault address 0x00104124.
Processing media-specific event for [itunes.exe!ws!]

Error: (06/21/2011 07:20:42 AM) (Source: Application Error) (User: )
Description: Faulting application itunes.exe, version 10.2.1.1, faulting module quicktime.qts, version 7.69.80.9, fault address 0x00104124.
Processing media-specific event for [itunes.exe!ws!]

Error: (06/17/2011 08:38:47 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Simple Start":An attempt to LogOff without a logon.

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":Returning NULL QBWinInstance Handle

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":Returning NULL QBWinInstance Handle

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":Returning NULL QBWinInstance Handle

Error: (06/17/2011 01:34:47 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Simple Start":tlg file removal failed because the file was still open.

Error: (06/17/2011 01:31:01 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":Returning NULL QBWinInstance Handle


System errors:
=============
Error: (07/10/2011 05:11:50 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/10/2011 05:06:59 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/10/2011 05:05:28 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.2 on the
Network Card with network address 00123F798A4C.

Error: (07/10/2011 05:05:05 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.2 on the
Network Card with network address 00123F798A4C.

Error: (07/10/2011 05:04:59 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/10/2011 05:04:45 PM) (Source: Dhcp) (User: )
Description: The IP address lease 68.9.176.189 for the Network Card with network address 00123F798A4C has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Error: (07/10/2011 04:54:37 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/10/2011 07:38:27 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/10/2011 05:21:40 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (07/09/2011 07:26:53 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (07/09/2011 06:22:38 PM) (Source: Application Error)(User: )
Description: -1772326163

Error: (07/09/2011 06:22:33 PM) (Source: Application Error)(User: )
Description: 31.exe0.0.0.0unknown0.0.0.00014bb6e

Error: (06/24/2011 01:55:41 PM) (Source: Application Error)(User: )
Description: itunes.exe10.2.1.1quicktime.qts7.69.80.900104124

Error: (06/21/2011 07:20:42 AM) (Source: Application Error)(User: )
Description: itunes.exe10.2.1.1quicktime.qts7.69.80.900104124

Error: (06/17/2011 08:38:47 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Simple StartAn attempt to LogOff without a logon.

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (06/17/2011 08:37:04 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (06/17/2011 01:34:47 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Simple Starttlg file removal failed because the file was still open.

Error: (06/17/2011 01:31:01 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 25%
Total physical RAM: 2558.09 MB
Available physical RAM: 1895.43 MB
Total Pagefile: 3168.29 MB
Available Pagefile: 2567.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.02 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:69.79 GB) (Free:20.29 GB) NTFS
4 Drive g: (My Book) (Fixed) (Total:465.65 GB) (Free:330.7 GB) FAT32

================= Users: ==================================================

User accounts for \\DCPYDQ81

-------------------------------------------------------------------------------
Administrator Darlene Guest
HelpAssistant Kyle SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:59 PM

Posted 12 July 2011 - 07:08 PM

I would recommend updating to SP3, and downloading the latest Java from here http://www.java.com.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users