Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed XP 2012 and still have probelms


  • Please log in to reply
4 replies to this topic

#1 kammel78

kammel78

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 12 December 2011 - 09:21 PM

I followed all the steps to remove the XP 2012 virus and am still getting Internet Explorer redirects and problems with outlook. Any ideas? Here are the logs I was able to pull...

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
McAfee VirusScan Enterprise
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player ( 10.0.42.34) Flash Player Out of Date!
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise mcshield.exe
McAfee VirusScan Enterprise vstskmgr.exe
``````````End of Log````````````



MiniToolBox by Farbar
Ran by User (administrator) on 12-12-2011 at 19:23:27
Microsoft Windows XP Professional Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Cisco Systems VPN Adapter = Local Area Connection 3 (Disconnected)
Bluetooth LAN Access Server Driver = Bluetooth Network (Disconnected)
Intel® WiFi Link 5100 AGN = Wireless Network Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : CNU9412Z7N

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.la.comcast.net.



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : hsd1.la.comcast.net.

Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN

Physical Address. . . . . . . . . : 00-1E-65-D7-D8-52

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.199

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday, December 12, 2011 6:59:01 PM

Lease Expires . . . . . . . . . . : Tuesday, December 13, 2011 6:59:01 PM



Pinging google.com [74.125.45.147] with 32 bytes of data:



Reply from 74.125.45.147: bytes=32 time=39ms TTL=49

Reply from 74.125.45.147: bytes=32 time=56ms TTL=49



Ping statistics for 74.125.45.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 39ms, Maximum = 56ms, Average = 47ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=82ms TTL=47

Reply from 72.30.2.43: bytes=32 time=82ms TTL=47



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 82ms, Average = 82ms



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 1e 65 d7 d8 52 ...... Intel® WiFi Link 5100 AGN - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.199 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.199 192.168.0.199 20
192.168.0.0 255.255.255.0 192.168.0.199 192.168.0.199 10
192.168.0.199 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.199 192.168.0.199 10
224.0.0.0 240.0.0.0 192.168.0.199 192.168.0.199 10
255.255.255.255 255.255.255.255 192.168.0.199 192.168.0.199 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()
Catalog9 26 mswsock.dll [File Not found] ()
Catalog9 27 mswsock.dll [File Not found] ()
Catalog9 28 mswsock.dll [File Not found] ()
Catalog9 29 mswsock.dll [File Not found] ()
Catalog9 30 mswsock.dll [File Not found] ()
Catalog9 31 mswsock.dll [File Not found] ()
Catalog9 32 mswsock.dll [File Not found] ()
Catalog9 33 mswsock.dll [File Not found] ()
Catalog9 34 mswsock.dll [File Not found] ()
Catalog9 35 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/07/2011 06:37:09 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17103, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/05/2011 10:56:26 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17103, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/02/2011 08:02:43 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2700 (0xa8c)

Thread address : 0x7C90E514

Thread message :

Build VSCORE.13.3.2.125 / 5400.1158
Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\WBEM\Logs\wmiprov.log
by C:\WINDOWS\system32\wbem\wmiprvse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (12/01/2011 09:14:57 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17103, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/22/2011 06:58:32 AM) (Source: Microsoft Office 12) (User: )
Description: EventType officelifeboathang, P1 outlook.exe, P2 12.0.6562.5003, P3 ntdll.dll, P4 5.1.2600.6055, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 officelifeboathang0, P10 officelifeboathang1.

Error: (11/21/2011 06:05:49 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17103, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/18/2011 00:34:12 PM) (Source: Application Hang) (User: )
Description: Hanging application OUTLOOK.EXE, version 12.0.6562.5003, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/18/2011 00:32:49 PM) (Source: Microsoft Office 12) (User: )
Description: EventType officelifeboathang, P1 outlook.exe, P2 12.0.6562.5003, P3 ntdll.dll, P4 5.1.2600.6055, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 officelifeboathang0, P10 officelifeboathang1.

Error: (11/17/2011 06:39:12 AM) (Source: McLogEvent) (User: )
Description: The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

Error: (11/17/2011 06:39:02 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 3492 (0xda4)

Thread address : 0x7C90E514

Thread message :

Build VSCORE.13.3.2.125 / 5400.1158
Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\WBEM\Logs\wmiprov.log
by C:\WINDOWS\system32\wbem\wmiprvse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)


System errors:
=============
Error: (12/12/2011 07:23:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:47 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:45 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:44 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:42 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:40 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:38 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:37 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/12/2011 07:23:33 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (04/22/2011 08:50:44 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 173940 seconds with 900 seconds of active time. This session ended with a crash.

Error: (10/20/2010 08:27:47 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5597 seconds with 3420 seconds of active time. This session ended with a crash.

Error: (10/14/2010 07:06:18 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6435 seconds with 60 seconds of active time. This session ended with a crash.

Error: (09/13/2010 00:57:16 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 7168 seconds with 3540 seconds of active time. This session ended with a crash.

Error: (07/25/2010 05:50:39 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 118407 seconds with 1080 seconds of active time. This session ended with a crash.

Error: (05/06/2010 09:38:14 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 2502 seconds with 1200 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================


(Version: 1.0.0.15)
7-Zip 9.20
Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 Plugin (Version: 10.0.42.34)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Agere Systems HDA Modem
AuthenTec Fingerprint System (Version: 8.0.100.25)
Bonjour (Version: 2.0.5.0)
Broadcom NetXtreme Ethernet Controller (Version: 10.52.10)
Cisco Systems VPN Client 5.0.04.0300 (Version: 5.0.4)
clicktocall (Version: 1.0.0)
Collaboration Client 2.0 (Version: 5.1.0.0)
Dell Laser MFP 1815 Software Uninstall
Embedded Security for HP ProtectTools Driver (Version: 5.5.100)
HP Common Access Service Library (Version: 2.00 E6)
HP Integrated Module with Bluetooth wireless technology (Version: 5.1.0.4802)
HP Quick Launch Buttons 6.40 L2 (Version: 6.40 L2)
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee VirusScan Enterprise (Version: 8.6.0)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Access database engine 2010 (English) (Version: 14.0.6029.1000)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft English TTS Engine (Version: 2.0.1000.0)
Microsoft IntelliPoint 7.0 (Version: 7.0.260.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access database engine 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Plus 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Primary Interoperability Assemblies 2005 (Version: 8.0.50727.42)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable Package (Version: 1.0.0)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60816.0)
Microsoft WinUsb 1.0
MotoHelper MergeModules (Version: 1.2.0)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PANTECH USB Modem V2 (Version: 1.2.4151.1109)
QuickTime (Version: 7.69.80.9)
Revo Uninstaller 1.93 (Version: 1.93)
SAPI Wrapper (Version: 1.0.0.0)
SoundMAX (Version: 5.10.01.5880)
Synaptics Pointing Device Driver (Version: 11.0.7.0)
Topaz e-Signatures SigPlus 3.74 (Version: 3.74)
TTS Wrapper (Version: 1.0.0.0)
Uninstall Dell PC Fax
Visual Studio 2005 Tools for Office Second Edition Runtime
VZAccess Manager (Version: 7.2.12.2)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
Zip Motion Block Video codec (Remove Only)

========================= Memory info: ===================================

Percentage of memory in use: 65%
Total physical RAM: 1976.19 MB
Available physical RAM: 691.06 MB
Total Pagefile: 3868.21 MB
Available Pagefile: 2544.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.6 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:270.6 GB) NTFS

========================= Users: ========================================

User accounts for \\CNU9412Z7N

ASPNET Guest HelpAssistant
John.McKittrick SUPPORT_388945a0 User


**** End of log ****


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-12 20:20:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FC4O
Running: ogepghmi.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwdiypoc.sys


---- System - GMER 1.0.15 ----

SSDT spju.sys ZwCreateKey [0xB9EA80E0]
SSDT spju.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spju.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spju.sys ZwOpenKey [0xB9EA80C0]
SSDT spju.sys ZwQueryKey [0xB9EC7108]
SSDT spju.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spju.sys ZwSetValueKey [0xB9EC719A]

INT 0x63 ? 89B79BF8
INT 0x73 ? 89B79BF8
INT 0x73 ? 89B79BF8
INT 0x74 ? 89B79BF8
INT 0x83 ? 89B79BF8
INT 0x84 ? 89B79BF8
INT 0x94 ? 89B79BF8
INT 0xB4 ? 8A66BBF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x96AD78C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x96AD78EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x96AD7855]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x96AD7881]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x96AD7915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x96AD78D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x96AD786B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x96AD78AD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x96AD792B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x96AD78FF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP 96AD7903 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 805790A8 5 Bytes JMP 96AD78C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP 96AD7919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP 96AD792F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B841E 7 Bytes JMP 96AD78D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP 96AD78EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP 96AD78B1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP 96AD786F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP 96AD7859 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP 96AD7885 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? rnmtsttj.sys The system cannot find the file specified. !
? spju.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B95168AC 5 Bytes JMP 89B791D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80062
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F6D
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F94
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80051
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F2D
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F48
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A800AB
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A8009A
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A800BC
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80073
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F1C
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70F94
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70FAF
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A70051
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60025
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60014
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FB5
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FA4
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FC6
.text C:\WINDOWS\system32\svchost.exe[244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[244] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[244] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[244] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[244] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00BA0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 024F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0259000A
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 024E000C
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350011
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350051
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350040
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F94
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3528F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352877 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3528BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352803 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35283D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352931 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E201762 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360F90
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FC6
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FB5
.text C:\Program Files\Internet Explorer\iexplore.exe[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[404] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E352AF3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01950FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01950F57
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0195004C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01950F72
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0195002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0195001E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01950F3A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01950082
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 019500AE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01950F15
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01950EFA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01950F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01950FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01950071
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01950FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01950FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01950093
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01940022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01940FA2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01940011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01940FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0194005F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01940000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01940044
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01940033
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01930031
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 01930FA6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01930FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01930FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01930FC1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0193000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F43
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0038
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F5E
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0089
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD006E
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F0B
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0EF0
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0053
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F26
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F8A
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F9B
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB5
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F55
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC004A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F7C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F8D
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F24
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0076
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0EEE
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F09
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00A2
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0087
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0FA1
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0F86
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC009D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0080
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0054
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC00D5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC00B8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00F0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0F3C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0039
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F90
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FBC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070071
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F5A
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F6B
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F1A
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F09
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070096
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700B3
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060080
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060065
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F8D
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9E
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050018
.text C:\WINDOWS\system32\services.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F6D
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F7E
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF009F
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF008E
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00CE
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F35
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00E9
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF007D
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FD1
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\lsass.exe[1424] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F46
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F79
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40FDE
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40069
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40033
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40044
.text C:\WINDOWS\system32\lsass.exe[1424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E4000C
.text C:\WINDOWS\system32\lsass.exe[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\lsass.exe[1424] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[1424] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\lsass.exe[1424] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E20025
.text C:\WINDOWS\system32\lsass.exe[1424] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF006E
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F79
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0F8A
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0F9B
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0FB6
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF00A4
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0093
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00BF
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0F30
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF00DA
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF003D
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0011
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F68
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FC7
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0022
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F4B
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0025
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE005B
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0014
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0040
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EE0FA8
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0E, 89]
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0FB9
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0047
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FE3
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0FD2
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0103008C
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01030F97
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030071
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030FA8
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030040
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F66
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010300B8
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030F1F
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F30
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F0E
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030FC3
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030FE5
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0103009D
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030025
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030FD4
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F4B
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020040
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020FDE
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0102002F
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01020F83
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [22, 89]
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020F9E
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0101004E
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010033
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FCD
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010022
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010011
.text C:\WINDOWS\system32\svchost.exe[1692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1692] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1692] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1692] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1692] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0145000A
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FE000C
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03790FE5
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0379004A
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03790039
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 03790F6B
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [86]
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03790028
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03790F97
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03790091
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03790080
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03790F1D
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03790F38
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037900DB
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03790F7C
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03790FD4
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03790065
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03790FA8
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03790FB9
.text C:\WINDOWS\System32\svchost.exe[1748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 037900AC
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0378002C
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03780F87
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0378001B
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03780000
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0378004E
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03780FEF
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03780FAC
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 8B]
.text C:\WINDOWS\System32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0378003D
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03770F9A
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!system 77C293C7 5 Bytes JMP 03770FAB
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03770FC6
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03770000
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0377001B
.text C:\WINDOWS\System32\svchost.exe[1748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03770FE3
.text C:\WINDOWS\System32\svchost.exe[1748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03610000
.text C:\WINDOWS\System32\svchost.exe[1748] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 03400FEF
.text C:\WINDOWS\System32\svchost.exe[1748] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 03400FD4
.text C:\WINDOWS\System32\svchost.exe[1748] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 03400000
.text C:\WINDOWS\System32\svchost.exe[1748] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 03400FAF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006500A4
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650089
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650078
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F70
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F81
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650F29
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F44
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F18
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F55
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F80
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FB9
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0064003D
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630040
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FAB
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630FD2
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE00B5
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE0090
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE007F
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0FB6
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE0047
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE00D0
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE0F88
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE0F59
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE00F2
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE0103
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE0058
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE001B
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE0FA5
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE0FDB
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE00E1
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AD0040
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AD0F8D
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AD0025
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AD0FA8
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CD, 88] {INT 0x88}
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0058
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0022
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[2024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[2024] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[2024] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[2024] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[2024] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\System32\ping.exe[3044] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[3044] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[3044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\ping.exe[3044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\ping.exe[3044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\WINDOWS\System32\ping.exe[3044] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\ping.exe[3044] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\ping.exe[3044] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\ping.exe[3044] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0064
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0049
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9B
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F2D
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0090
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0EF7
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00AB
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F80
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F54
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[3716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A007F
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290087
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FB5
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0040
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FC6
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0025
.text C:\WINDOWS\System32\svchost.exe[3716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F5C
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00C9
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F30
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E4
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[5452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00AE
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029002C
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290073
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290011
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290062
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290047
.text C:\WINDOWS\explorer.exe[5452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FC0
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0027
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0F9C
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\explorer.exe[5452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\explorer.exe[5452] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[5452] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[5452] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C002C
.text C:\WINDOWS\explorer.exe[5452] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 002C003D
.text C:\WINDOWS\explorer.exe[5452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015F000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spju.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1996] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00F42BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1996] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00F42CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1996] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00F42CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A66A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A5631F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6DC1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6DC1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6DC1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6DC1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A5631F8
Device \Driver\usbuhci \Device\USBPDO-2 8A5631F8
Device \Driver\usbehci \Device\USBPDO-3 8A5571F8
Device \Driver\usbuhci \Device\USBPDO-4 8A5631F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 8A5631F8
Device \Driver\usbuhci \Device\USBPDO-6 8A5631F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A66C1F8
Device \Driver\usbehci \Device\USBPDO-7 8A5571F8
Device \Driver\Cdrom \Device\CdRom0 89AEC1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [B9D82EB0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9D82EB0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [B9D82EB0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B681F8
Device \Driver\NetBT \Device\NetbiosSmb 86B681F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A5631F8
Device \Driver\usbuhci \Device\USBFDO-1 8A5631F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B5E1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A5631F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B5E1F8
Device \Driver\usbehci \Device\USBFDO-3 8A5571F8
Device \Driver\usbuhci \Device\USBFDO-4 8A5631F8
Device \Driver\Ftdisk \Device\FtControl 8A66C1F8
Device \Driver\usbuhci \Device\USBFDO-5 8A5631F8
Device \Driver\usbuhci \Device\USBFDO-6 8A5631F8
Device \Driver\usbehci \Device\USBFDO-7 8A5571F8
Device \FileSystem\Cdfs \Cdfs 8655A1F8

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A8074000-A808B000 (94208 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB31084$\2977417243 0 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\keywords 140 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\L 0 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\L\crbxyvmp 75264 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U 0 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB31084$\2977417243\U\80000032.@ 98304 bytes
File C:\WINDOWS\$NtUninstallKB31084$\3528662658 0 bytes

---- EOF - GMER 1.0.15 ----

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 kammel78

kammel78
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 13 December 2011 - 09:50 AM

Posted logs to the log forum.

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:33 AM

Posted 13 December 2011 - 12:23 PM

You'll need more advanced help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 kammel78

kammel78
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 13 December 2011 - 01:20 PM

Thanks...topic started and logs posted!

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:33 AM

Posted 13 December 2011 - 01:58 PM

Cool :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users