Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Win 7 security malware BUT no internet


  • Please log in to reply
12 replies to this topic

#1 nilla1989

nilla1989

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 December 2011 - 09:35 PM

Hi All,

Noted that I had the Win 7 security bug and fixed it using MBAM. After that, ran Kaspersky Anti-virus and came up with an issue that was resolved. Uninstalled McAfee (my original anti-virus protection before all this happened) and downloaded most recent version with a clean install. Throughout all this, hadn't restarted my computer. Finally did and now it says Connected to my wifi, but "No Internet access." Currently typing and posting on another laptop connected to the same wifi.

Infected laptop running Windows 7 Professional with Service Pack 1.

Found similar topic with similar problem here on the forums (topic433982) and I followed through with the first through posts. The FSS log is EXACTLY the same. The SystemLook log is different. Both are posted below. Suggestions and advice very welcome and appreciated!

Farbar Service Scanner
Ran by Willa (administrator) on 28-12-2011 at 20:41:52
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

SystemLook 30.07.11 by jpshortstuff
Log created at 20:47 on 28/12/2011 by Willa
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --a---- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] CB39E896A2A83702D1737BFD402B3542
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [23:17 01/06/2011] [08:39 20/11/2010] 17656E94501E589668DD6BD93F888CB1

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\tdx]
"DisplayName"="@%SystemRoot%\system32\tcpipcfg.dll,-50004"
"Group"="PNP_TDI"
"ImagePath"="system32\DRIVERS\tdx.sys"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"Tag"= 0x0000000004 (4)
"Type"= 0x0000000001 (1)
"DependOnService"="Tcpip"
"Description"="@%SystemRoot%\system32\tcpipcfg.dll,-50004"

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\tdx\Enum]
"0"="Root\LEGACY_TDX\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
"INITSTARTFAILED"= 0x0000000001 (1)


-= EOF =-

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 09:44 PM

Welcome aboard Posted Image

You have one system file missing.

Download following file: http://www.filedropper.com/fix_4
Double click on it to run the fix.

Restart computer, check your internet connection and post new FSS log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 09:45 PM

When re-running FSS make sure you have the newest version...

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 December 2011 - 09:57 PM

Thanks for the quick response Broni!

Double clicked the fix and it looked like it popped up a command window and then closed it really fast. (Hoping that meant it ran.)

Then restarted and still no internet.

Ran re-downloaded FSS. Report below:

Farbar Service Scanner
Ran by Willa (administrator) on 28-12-2011 at 21:54:51
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys
[2011-12-28 21:05] - [2011-12-28 21:03] - 0074277 ____A () 23C2EAF0F402D9764ACC97A881505444

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 10:05 PM

This tdx.sys file is not good.
Upon copying it changed its size and MD5 number, which makes me believe your computer is still infected.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 December 2011 - 10:37 PM

Hi Broni,

I can't download Avast! on my infected computer given the lack of internet, so I tried to hit "yes" on this uninfected computer and thought the virus definitions would transfer over. They didn't, but I ran it anyways (log below). Is there another way I can get the virus definitions on one computer and transfer them to another?


aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-28 22:28:55
-----------------------------
22:28:55.533 OS Version: Windows 6.1.7601 Service Pack 1
22:28:55.533 Number of processors: 2 586 0x301
22:28:55.543 ComputerName: WILLA-PC UserName: Willa
22:28:56.273 Initialize success
22:29:04.051 AVAST engine download error: 0
22:29:07.351 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
22:29:07.351 Disk 0 Vendor: WDC_WD1600BEVS-26VAT0 11.01A11 Size: 152627MB BusType: 11
22:29:09.371 Disk 0 MBR read successfully
22:29:09.371 Disk 0 MBR scan
22:29:09.371 Disk 0 Windows 7 default MBR code
22:29:09.421 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
22:29:09.441 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 145086 MB offset 3074048
22:29:09.471 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 6040 MB offset 300210176
22:29:09.481 Disk 0 scanning sectors +312580096
22:29:09.531 Disk 0 scanning C:\Windows\system32\drivers
22:29:24.911 Service scanning
22:29:27.231 Modules scanning
22:29:37.521 Disk 0 trace - called modules:
22:29:37.551 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
22:29:37.561 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86586030]
22:29:37.571 3 CLASSPNP.SYS[8954559e] -> nt!IofCallDriver -> [0x863dcc10]
22:29:37.581 5 ACPI.sys[88c133d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x863cc030]
22:29:37.591 Scan finished successfully
22:34:33.012 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
22:34:33.042 The log file has been saved successfully to "E:\aswMBR.txt"

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 10:40 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 December 2011 - 11:30 PM

Scan done and below!

Also, when I went in to disable my Windows Firewall, I clicked "Used recommended settings" just to see if it would give me a menu or something. Instead, it said "Windows Firewall can't change some of your settings. Error code 0x80070424." Not sure if that's relevant, but btw if it helps!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-28 23:26:11
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD1600BEVS-26VAT0 rev.11.01A11
Running: gmer.exe; Driver: C:\Users\Willa\AppData\Local\Temp\uwloqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x88E43098]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x88E430C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x88E430AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x88E43084]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 834445C5 5 Bytes JMP 88E43088 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKey + 13D1 83456369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8348FD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!NtMapViewOfSection 8365F452 7 Bytes JMP 88E4309C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 83673A7D 5 Bytes JMP 88E430C6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8367D6FA 5 Bytes JMP 88E430B2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EA0F000, 0x2D5378, 0xE8000020]
PAGE peauth.sys 9EC16B9B 72 Bytes [60, FF, 59, E8, 25, 7E, A4, ...]
? C:\Windows\TEMP\mc27666.tmp The system cannot find the file specified. !
? C:\Users\Willa\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
.text autochk.exe 004511D1 24 Bytes [8B, E5, 5D, C3, CC, CC, CC, ...]
.text autochk.exe 004511EA 2 Bytes [64, A1]
.text autochk.exe 004511F0 8 Bytes [50, 83, EC, 08, A1, A0, D4, ...]
.text autochk.exe 004511F9 8 Bytes [33, C5, 50, 8D, 45, F4, 64, ...]
.text autochk.exe 00451204 18 Bytes [00, 89, 4D, EC, 8B, 45, EC, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00150000
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00150011
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00150FE5
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 001D0F3C
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 001D0EFF
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 001D0094
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 001D0F9E
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 001D0F68
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 001D0036
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 001D0F79
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 001D0EEE
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 001D000A
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 001D0F2B
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 001D0025
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 001D0F4D
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 001D0FB9
.text C:\Windows\system32\services.exe[528] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 001D0F1A
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 001D005B
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00160000
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00160FD2
.text C:\Windows\system32\services.exe[528] msvcrt.dll!system 75FAB16F 5 Bytes JMP 0016005D
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00160027
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00160042
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00160FEF
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 001C0000
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 001C0FB6
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 001C0058
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 001C003D
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 001C0069
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 001C0022
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 001C0011
.text C:\Windows\system32\services.exe[528] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 001E0000
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00200FE5
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00200FD4
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00200000
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 001F0073
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 001F0F0A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 001F009F
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 001F000A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 001F0051
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 001F002F
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 001F0040
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 001F0EEF
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 001F0F9E
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 001F0F39
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 001F0FD4
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 001F0F8D
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 001F0062
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 001F008E
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 001F0F5E
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00210FE3
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00210F9C
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00210FB7
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 0021001D
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00210FC8
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00210000
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00220000
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00220FC7
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00220058
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00220FB6
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 0022001B
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00220073
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 0022003D
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 0022002C
.text C:\Windows\system32\lsass.exe[536] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 005D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00540000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0054002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 0054001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F009B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F00E2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F005E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F86
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0F32
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F00B6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F008A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F0014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F00C7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_open 75F77E48 5 Bytes JMP 0055000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00550FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00550066
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00550044
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00550055
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 0055001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 003D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 003D0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 003D0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 003D0F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 003D0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 003D0F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 003D0014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 003D0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00230FE5
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00230011
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 002100AC
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00210104
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002100E9
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00210FD4
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00210087
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 0021006C
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00210FA5
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00210F54
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00210040
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002100C7
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00210FE5
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 0021005B
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00210F83
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00210025
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 002100D8
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00210F94
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00240FB9
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00240044
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00240018
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00240033
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00240FDE
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00250FE5
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00250F94
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00250F79
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 0025001B
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00250000
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 0025002C
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00250FA5
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00250FCA
.text C:\Windows\system32\svchost.exe[644] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00260000
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00390FEF
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00390FCA
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00390000
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00380F35
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 0038008A
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00380079
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00380FB2
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00380043
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00380F86
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00380F6B
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003800A5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00380028
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00380F24
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00380FDE
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00380FEF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00380FA1
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00380F50
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00380FC3
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00380EFF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00380054
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_open 75F77E48 5 Bytes JMP 006B0000
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 006B0F88
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!system 75FAB16F 5 Bytes JMP 006B001D
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 006B0FD2
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 006B0FAD
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 006B0FE3
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 006C0FE5
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 006C002C
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 006C0F8A
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 006C0FA5
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 006C0000
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 006C0F65
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 006C0FCA
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 006C001B
.text C:\Windows\system32\svchost.exe[756] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 007E0FEF
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00BB0FEF
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00BB0FCD
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00BB0FDE
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00AC0F5E
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00AC0098
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00AC0F03
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00AC002C
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00AC0062
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00AC0051
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00AC0F8A
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00AC0EE8
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00AC0FCA
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00AC0F39
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00AC001B
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00AC000A
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00AC0FAF
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00AC0F6F
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00AC0FE5
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00AC0F28
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00AC0087
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00BC0000
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00BC0FB5
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00BC0FC6
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00BC002C
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00BC0FD7
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00BC0011
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 01020000
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 01020033
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 01020FA2
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 0102004E
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 01020011
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 0102005F
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 01020022
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 01020FDB
.text C:\Windows\System32\svchost.exe[888] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 01070000
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00B20000
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00B20FDB
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00B20011
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00B1008A
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00B10F10
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00B100A5
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00B1001B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00B10F8D
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00B10051
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00B10F9E
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00B10EFF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00B1002C
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00B10F3C
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00B1000A
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00B10FEF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00B10FAF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00B10F61
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00B10FD4
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00B10F2B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00B10F72
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00B30000
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00B30049
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00B30FC8
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00B30027
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00B30038
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00B30FEF
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00B4000A
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00B4002C
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00B40FAF
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00B40051
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00B40FE5
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00B40F94
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00B40FC0
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00B4001B
.text C:\Windows\System32\svchost.exe[944] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00EA0000
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00610FEF
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0061000A
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00610FDE
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F0076
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F0F10
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F21
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F0FC0
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F0F68
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0F94
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F83
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0EF5
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F002C
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F0F32
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F000A
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0FAF
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F0F4D
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F001B
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F0091
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F005B
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00620FEF
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00620F7C
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00620FA1
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00620011
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00620FBC
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00620000
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00AC0000
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00AC002C
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00AC0F9B
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00AC003D
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00AC0FDB
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00AC0F8A
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00AC001B
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00AC0FCA
.text C:\Windows\system32\svchost.exe[992] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00AD0FEF
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 002D0025
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 002C00CE
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 002C0F6F
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002C0104
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 002C0047
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 002C0FC0
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 002C0098
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 002C0FD1
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 002C011F
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 002C0062
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002C0F8A
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 002C001B
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 002C0073
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 002C0F9B
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 002C002C
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 002C00E9
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 002C00A9
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_open 75F77E48 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 002E0031
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!system 75FAB16F 5 Bytes JMP 002E0020
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 002E0FC1
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 002E0FA6
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 002E0FD2
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 002F0FCA
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 002F0062
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 002F0051
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 002F001B
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 002F007D
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 002F0FDB
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 002F0036
.text C:\Windows\system32\svchost.exe[1132] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00440FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00580FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0058001B
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00580000
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 0047008E
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 004700DF
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 004700CE
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00470FD1
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00470F8A
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00470051
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00470062
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 004700F0
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00470FC0
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 004700A9
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00470011
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00470000
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00470FAF
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 0047007D
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00470022
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00470F54
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00470F6F
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00590FEF
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00590F7A
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00590F8B
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00590FC1
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00590FA6
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00590FDE
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 005A0000
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 005A0FC7
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 005A0FA2
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 005A004E
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 005A0011
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 005A0F91
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 005A003D
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 005A002C
.text C:\Windows\System32\svchost.exe[1512] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 005B0FE5
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00AB0000
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00AB0FC0
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00AB0FE5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00AA009E
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00AA0F35
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00AA0F46
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00AA0036
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00AA0F97
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00AA0065
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00AA0FA8
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00AA00E5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00AA0FD4
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00AA00B9
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00AA0FE5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00AA0000
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00AA0FC3
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00AA0F6B
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 771EDBA8 3 Bytes JMP 00AA001B
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA + 4 771EDBAC 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!WinExec 771EEDB2 3 Bytes JMP 00AA00CA
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!WinExec + 4 771EEDB6 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 771EFD51 3 Bytes JMP 00AA0F86
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtectEx + 4 771EFD55 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00AD0FEF
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00AD0049
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00AD0038
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00AD000C
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00AD001D
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00AD0FD2
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00AE0FEF
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00AE0025
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00AE0F8D
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00AE0F9E
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00AE000A
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00AE004A
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00AE0FB9
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00AE0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 02210000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 02210022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 02210011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 02200079
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 022000B9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 0220009E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 02200036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 02200F86
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 02200FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 02200F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 022000D4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 02200FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 02200F35
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0220001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0220000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 02200FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 02200F50
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 02200FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 02200F24
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 02200F6B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_open 75F77E48 5 Bytes JMP 0222000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 02220FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!system 75FAB16F 5 Bytes JMP 02220FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 0222003A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 02220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 0222001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 01AD0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 01AD0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 01AD0076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 01AD005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 01AD0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 01AD0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 01AD0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 01AD002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 02230FEF
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 002E0FDE
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00280F6B
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 002800DB
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002800CA
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00280FC3
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 0028006F
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 0028004A
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00280F97
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 002800F6
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 0028002F
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002800AF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00280FB2
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00280F7C
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00280FD4
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00280F50
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00280080
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_open 75F77E48 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 002F0F9A
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!system 75FAB16F 5 Bytes JMP 002F0FAB
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 002F0FC6
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 002F001B
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 002F0FD7
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00120FE5
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00120025
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00120F94
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00120036
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00120FCA
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCrea

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 11:44 PM

I assume more is coming?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 December 2011 - 11:53 PM

Oops sorry! Didn't realize I left some out:


.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00120F79
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00120FAF
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00120000
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00400FE5
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0040000A
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00400FD4
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F008A
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F00CA
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F35
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F0FCA
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F005B
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0F9E
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F83
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0F1A
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F0FB9
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F0F50
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FDB
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F0000
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0040
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F0F61
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F0011
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F00A5
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F0F72
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 003E000A
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 003E0FA8
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 003E002F
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 003E0F8D
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 003E0FE5
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 003E0F68
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 003E0FC3
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 003E0FD4
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_open 75F77E48 5 Bytes JMP 003D0000
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 003D0F90
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!system 75FAB16F 5 Bytes JMP 003D0025
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 003D0FC6
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 003D0FAB
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 003D0FE3
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenW 76029197 5 Bytes JMP 00430011
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenA 7602F18E 5 Bytes JMP 00430000
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenUrlA 760430E9 5 Bytes JMP 00430FD1
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenUrlW 7607BF94 5 Bytes JMP 00430022
.text C:\Windows\Explorer.EXE[2852] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 042A0FEF
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010F50
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 000100A5
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00010F06
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F83
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010FAF
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010F9E
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100B6
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010040
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010F35
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010F61
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 0001008A
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_open 75F77E48 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 000B0029
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!system 75FAB16F 5 Bytes JMP 000B0F9E
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 000B0FCD
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 000B0018
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 000B0FDE
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00300FEF
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00300040
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00300065
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00300FC3
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00300014
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00300076
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 0030002F
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00300FDE
.text C:\Windows\system32\svchost.exe[4176] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 0090000A
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00040FE5
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0004000A
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00040FD4
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010095
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 000100DF
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 000100C4
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010FDB
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F80
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010058
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100F0
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010FC0
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010F5B
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00010FA5
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010084
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 0001002C
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00010F4A
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010069
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00070058
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00070FCD
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00070022
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 0007003D
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 0008001B
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00080F94
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00080036
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00080FDB
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00080051
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00080FCA
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00040FCD
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00040FDE
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010F3C
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00010F10
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00010F21
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010036
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F79
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010F9B
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010F8A
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100C0
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010FC0
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010080
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0001000A
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00010FEF
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00010047
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010F57
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00010025
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 0001009B
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010F68
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_open 75F77E48 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 000F0042
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!system 75FAB16F 5 Bytes JMP 000F0027
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 000F0FB7
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 000F000C
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 000F0FDE
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 0010000A
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00100FA5
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00100036
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00100F94
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 0010001B
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00100047
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00100FC0
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00100FDB

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[1872] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [010CABE0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743C2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743A5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743A56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743C24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743B8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743B4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743B506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743B5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [743B6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743B826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743B87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743B901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743BE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [743B4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000006e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00116773b757
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00116773b757 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB24790$\1826688055 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\@ 2048 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\bckfg.tmp 845 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\cfg.ini 199 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\keywords 281 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\L 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\L\xadqgnnk 74752 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000032.@ 97792 bytes
File C:\Windows\$NtUninstallKB24790$\2570630969 0 bytes

---- EOF - GMER 1.0.15 ----

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:48 PM

Posted 28 December 2011 - 11:59 PM

I believe you'll need more advanced help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 29 December 2011 - 12:06 AM

Ok, will follow the steps and post here when completed.

Also wondering what in the log tells you that this is a more serious problem?

Thanks for all your help Broni!

#13 nilla1989

nilla1989
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 29 December 2011 - 12:34 AM

As suggested, guide followed and new topic posted here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users