Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 security and Google redirect malware removed - no internet upon restarting computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 nilla1989

nilla1989

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 29 December 2011 - 12:32 AM

Hi All,

Noted that I had the Win 7 security bug and fixed it using MBAM. Also, noted Google re-directing once the Win 7 security disappeared. After that, ran Kaspersky Anti-virus and came up with an issue the Google re-directing was also resolved. Uninstalled McAfee (my original anti-virus protection before all this happened) and downloaded most recent version with a clean install. Throughout all this, hadn't restarted my computer. Finally did and now it says Connected to my wifi, but "No Internet access." Currently typing and posting on another laptop connected to the same wifi.

Infected laptop running Windows 7 Professional with Service Pack 1.

Found similar topic with similar problem here on the forums (topic433982) and I followed through with the first through posts. The FSS log is EXACTLY the same. The SystemLook log is different. I continued with several more steps which are documented in another topic here: (bleepingcomputer.com/forums/topic435065.html/page__gopid__2528144#entry2528144). Then, I was instructed to follow the preparation guide, hence this post! DDS and GMER logs below and attached:

DDS:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_27
Run by Willa at 0:10:49 on 2011-12-29
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1790.462 [GMT -5:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Applied Biosystems\StepOne Software v2.0\bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\lkads.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Windows\system32\conhost.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\National Instruments\Shared\NI WebServer\SystemWebServer.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\lkcitdl.exe
C:\Windows\system32\lktsrv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\Explorer.EXE
C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\system32\nipxism.exe
C:\Windows\system32\nipalsm.exe
C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\National Instruments\Shared\NI Network Discovery\niDiscSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\vVX3000.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Windows\P1370Mon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\National Instruments\Shared\NI Error Reporting\nierserver.exe
C:\Users\Willa\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z022&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227003203.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [Google Update] "c:\users\willa\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NPSStartup]
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [etMonitor] c:\windows\etMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [NI Update Service] "c:\program files\national instruments\shared\update service\NIUpdateService.exe" -startupTask
mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe
mRun: [P1370Mon.exe] c:\windows\P1370Mon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\users\willa\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\willa\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\willa\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\willa\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\willa\appdata\local\temp\_uninst_08437540.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nierro~1.lnk - c:\program files\national instruments\shared\ni error reporting\nierserver.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 208.77.2.11 207.200.7.21 192.168.1.254
TCP: Interfaces\{BAB0445A-1879-4384-88A3-7A2E013C268E} : DhcpNameServer = 208.77.2.11 207.200.7.21 192.168.1.254
TCP: Interfaces\{BAB0445A-1879-4384-88A3-7A2E013C268E}\4575545444 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{BAB0445A-1879-4384-88A3-7A2E013C268E}\744577962756C6563737 : DhcpNameServer = 128.61.244.254 130.207.244.244 130.207.244.251
TCP: Interfaces\{CBC18C82-68AB-4B34-A8E2-0EEB3AC5CF47} : DhcpNameServer = 4.2.2.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\willa\application data\mozilla\firefox\profiles\lmg4vpv0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com//search?hl=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npEModelPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npIMAQAXControl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv2010win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv2011win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv90win32.dll
FF - plugin: c:\users\willa\appdata\local\e-academy inc\mozilla\firefox\plugins\npHostSdmLoader.dll
FF - plugin: c:\users\willa\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\willa\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\willa\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-27 436728]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-12-27 162928]
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2010-3-24 15448]
R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [2011-4-8 58504]
R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [2011-4-8 42136]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-24 238952]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-26 366152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 145936]
R2 NIApplicationWebServer;NI Application Web Server;c:\program files\national instruments\shared\ni webserver\ApplicationWebServer.exe [2011-5-27 50336]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2010-3-24 12696]
R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2011-6-19 233664]
R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2011-6-1 194224]
R2 NINetworkDiscovery;NI Network Discovery;c:\program files\national instruments\shared\ni network discovery\niDiscSvc.exe [2011-6-10 121032]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2011-7-7 11928]
R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [2011-6-13 19608]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2011-6-19 11944]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\solidworks corp\solidworks flow simulation\bincfw\StandAloneSlv.exe [2010-10-6 71432]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-7-22 641976]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-24 36608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-8-21 7168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-26 22216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 171296]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2011-7-1 11944]
R3 NIEthernetDeviceEnumerator;NI Ethernet Device Enumerator Driver;c:\windows\system32\drivers\niede.sys [2010-6-15 32432]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2011-7-1 11944]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2011-7-12 11944]
R3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2011-6-19 11944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2010-12-2 87336]
S3 DCamUSBET;ET USB 2760 Camera;c:\windows\system32\drivers\etDevice.sys [2007-7-20 471808]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2007-6-14 201216]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-12-5 20104]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 58456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 85152]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2011-4-8 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2011-4-8 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2011-4-8 22608]
S3 nicdcck;nicdcck;c:\windows\system32\drivers\nicdcckl.sys [2011-7-18 11928]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2010-8-12 11352]
S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [2011-7-19 11952]
S3 nicondrk;nicondrk;c:\windows\system32\drivers\nicondrkl.sys [2011-7-19 11912]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2011-7-19 11920]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2011-7-12 11920]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2011-7-19 11928]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2011-7-19 11920]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2011-7-18 11920]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2011-7-12 11936]
S3 niimaqdxk;niimaqdxk;c:\windows\system32\drivers\niimaqdxkl.sys [2011-8-31 11384]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2011-7-12 11976]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2011-7-12 11952]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2011-5-17 11944]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2011-6-29 11968]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2011-6-29 11968]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2011-7-7 21144]
S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [2011-7-19 11912]
S3 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [2011-6-21 30344]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2010-7-12 11960]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2011-7-18 11936]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2011-7-8 11928]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2010-7-12 11960]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2011-7-18 11920]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2009-1-5 11312]
S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [2011-7-18 11912]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2011-7-18 11944]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2011-7-20 11912]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2011-7-18 11944]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2011-7-19 11944]
S3 niufurkw;niufurkw;c:\windows\system32\drivers\niufurkw.sys [2011-7-19 11944]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2011-7-18 11920]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2011-7-19 11920]
S3 nixsrkw;nixsrkw;c:\windows\system32\drivers\nixsrkw.sys [2011-7-19 11920]
S3 P1370Afx;PD1370 Audio Effects Filter Driver;c:\windows\system32\drivers\P1370Afx.sys [2011-12-6 143136]
S3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [2011-12-6 93056]
S3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [2011-12-6 4992]
S3 P1370Vfx;P1370Vfx;c:\windows\system32\drivers\P1370Vfx.sys [2011-12-6 7424]
S3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [2011-12-6 297888]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [2007-7-23 6656]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2010-10-25 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-10-25 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-10-25 123648]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-1 52224]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-21 1343400]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
.
=============== Created Last 30 ================
.
2011-12-29 02:05:10 74277 ----a-w- c:\windows\system32\drivers\tdx.sys
2011-12-27 05:32:04 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2011-12-27 05:32:03 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-27 05:32:03 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-12-27 05:32:02 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-27 05:32:02 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-27 05:32:02 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-27 05:32:02 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-12-27 05:32:00 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-27 05:32:00 162928 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-12-27 05:32:00 145936 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-27 05:31:32 -------- d-----w- c:\program files\common files\McAfee
2011-12-27 04:21:43 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-26 23:42:37 -------- d-----w- c:\programdata\Malwarebytes
2011-12-26 23:42:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 23:42:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-26 20:32:17 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2a713a44-90d9-4282-864c-5a02382520d1}\mpengine.dll
2011-12-15 14:44:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-15 14:44:01 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-15 14:43:56 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-12-15 14:43:46 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-12-15 14:42:42 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 14:41:40 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 14:41:21 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 14:35:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 14:32:35 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 14:32:34 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-07 04:48:32 24576 ----a-w- c:\windows\system32\P1370Aor.dll
2011-12-01 19:11:38 -------- d-----w- c:\users\willa\appdata\local\assembly
.
==================== Find3M ====================
.
2011-12-27 05:31:37 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
.
============= FINISH: 0:11:27.46 ===============

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-28 23:26:11
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD1600BEVS-26VAT0 rev.11.01A11
Running: gmer.exe; Driver: C:\Users\Willa\AppData\Local\Temp\uwloqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x88E43098]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x88E430C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x88E430AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x88E43084]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 834445C5 5 Bytes JMP 88E43088 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKey + 13D1 83456369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8348FD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!NtMapViewOfSection 8365F452 7 Bytes JMP 88E4309C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 83673A7D 5 Bytes JMP 88E430C6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8367D6FA 5 Bytes JMP 88E430B2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EA0F000, 0x2D5378, 0xE8000020]
PAGE peauth.sys 9EC16B9B 72 Bytes [60, FF, 59, E8, 25, 7E, A4, ...]
? C:\Windows\TEMP\mc27666.tmp The system cannot find the file specified. !
? C:\Users\Willa\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
.text autochk.exe 004511D1 24 Bytes [8B, E5, 5D, C3, CC, CC, CC, ...]
.text autochk.exe 004511EA 2 Bytes [64, A1]
.text autochk.exe 004511F0 8 Bytes [50, 83, EC, 08, A1, A0, D4, ...]
.text autochk.exe 004511F9 8 Bytes [33, C5, 50, 8D, 45, F4, 64, ...]
.text autochk.exe 00451204 18 Bytes [00, 89, 4D, EC, 8B, 45, EC, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00150000
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00150011
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00150FE5
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 001D0F3C
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 001D0EFF
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 001D0094
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 001D0F9E
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 001D0F68
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 001D0036
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 001D0F79
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 001D0EEE
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 001D000A
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 001D0F2B
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 001D0025
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 001D0F4D
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 001D0FB9
.text C:\Windows\system32\services.exe[528] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 001D0F1A
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 001D005B
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00160000
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00160FD2
.text C:\Windows\system32\services.exe[528] msvcrt.dll!system 75FAB16F 5 Bytes JMP 0016005D
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00160027
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00160042
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00160FEF
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 001C0000
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 001C0FB6
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 001C0058
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 001C003D
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 001C0069
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 001C0022
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 001C0011
.text C:\Windows\system32\services.exe[528] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 001E0000
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00200FE5
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00200FD4
.text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00200000
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 001F0073
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 001F0F0A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 001F009F
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 001F000A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 001F0051
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 001F002F
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 001F0040
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 001F0EEF
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 001F0F9E
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 001F0F39
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 001F0FD4
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 001F0F8D
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 001F0062
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 001F008E
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 001F0F5E
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00210FE3
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00210F9C
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00210FB7
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 0021001D
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00210FC8
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00210000
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00220000
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00220FC7
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00220058
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00220FB6
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 0022001B
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00220073
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 0022003D
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 0022002C
.text C:\Windows\system32\lsass.exe[536] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 005D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00540000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0054002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 0054001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F009B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F00E2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F005E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F86
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0F32
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F00B6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F008A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F0014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F00C7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_open 75F77E48 5 Bytes JMP 0055000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00550FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00550066
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00550044
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00550055
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 0055001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 003D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 003D0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 003D0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 003D0F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 003D0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 003D0F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 003D0014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 003D0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[608] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00230FE5
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00230011
.text C:\Windows\system32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 002100AC
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00210104
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002100E9
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00210FD4
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00210087
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 0021006C
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00210FA5
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00210F54
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00210040
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002100C7
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00210FE5
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 0021005B
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00210F83
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00210025
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 002100D8
.text C:\Windows\system32\svchost.exe[644] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00210F94
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00240FB9
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00240044
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00240018
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00240033
.text C:\Windows\system32\svchost.exe[644] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00240FDE
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00250FE5
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00250F94
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00250F79
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 0025001B
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00250000
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 0025002C
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00250FA5
.text C:\Windows\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00250FCA
.text C:\Windows\system32\svchost.exe[644] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00260000
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00390FEF
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00390FCA
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00390000
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00380F35
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 0038008A
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00380079
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00380FB2
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00380043
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00380F86
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00380F6B
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003800A5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00380028
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00380F24
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00380FDE
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00380FEF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00380FA1
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00380F50
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00380FC3
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00380EFF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00380054
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_open 75F77E48 5 Bytes JMP 006B0000
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 006B0F88
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!system 75FAB16F 5 Bytes JMP 006B001D
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 006B0FD2
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 006B0FAD
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 006B0FE3
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 006C0FE5
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 006C002C
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 006C0F8A
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 006C0FA5
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 006C0000
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 006C0F65
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 006C0FCA
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 006C001B
.text C:\Windows\system32\svchost.exe[756] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 007E0FEF
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00BB0FEF
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00BB0FCD
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00BB0FDE
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00AC0F5E
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00AC0098
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00AC0F03
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00AC002C
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00AC0062
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00AC0051
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00AC0F8A
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00AC0EE8
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00AC0FCA
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00AC0F39
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00AC001B
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00AC000A
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00AC0FAF
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00AC0F6F
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00AC0FE5
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00AC0F28
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00AC0087
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00BC0000
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00BC0FB5
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00BC0FC6
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00BC002C
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00BC0FD7
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00BC0011
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 01020000
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 01020033
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 01020FA2
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 0102004E
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 01020011
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 0102005F
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 01020022
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 01020FDB
.text C:\Windows\System32\svchost.exe[888] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 01070000
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00B20000
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00B20FDB
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00B20011
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00B1008A
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00B10F10
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00B100A5
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00B1001B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00B10F8D
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00B10051
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00B10F9E
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00B10EFF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00B1002C
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00B10F3C
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00B1000A
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00B10FEF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00B10FAF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00B10F61
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00B10FD4
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00B10F2B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00B10F72
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00B30000
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00B30049
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00B30FC8
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00B30027
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00B30038
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00B30FEF
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00B4000A
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00B4002C
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00B40FAF
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00B40051
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00B40FE5
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00B40F94
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00B40FC0
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00B4001B
.text C:\Windows\System32\svchost.exe[944] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00EA0000
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00610FEF
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0061000A
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00610FDE
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F0076
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F0F10
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F21
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F0FC0
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F0F68
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0F94
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F83
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0EF5
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F002C
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F0F32
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F000A
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0FAF
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F0F4D
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F001B
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F0091
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F005B
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00620FEF
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00620F7C
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00620FA1
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00620011
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00620FBC
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00620000
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00AC0000
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00AC002C
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00AC0F9B
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00AC003D
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00AC0FDB
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00AC0F8A
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00AC001B
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00AC0FCA
.text C:\Windows\system32\svchost.exe[992] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00AD0FEF
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 002D0025
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 002C00CE
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 002C0F6F
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002C0104
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 002C0047
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 002C0FC0
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 002C0098
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 002C0FD1
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 002C011F
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 002C0062
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002C0F8A
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 002C001B
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 002C0073
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 002C0F9B
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 002C002C
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 002C00E9
.text C:\Windows\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 002C00A9
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_open 75F77E48 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 002E0031
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!system 75FAB16F 5 Bytes JMP 002E0020
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 002E0FC1
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 002E0FA6
.text C:\Windows\system32\svchost.exe[1132] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 002E0FD2
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 002F0FCA
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 002F0062
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 002F0051
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 002F001B
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 002F007D
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 002F0FDB
.text C:\Windows\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 002F0036
.text C:\Windows\system32\svchost.exe[1132] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 00440FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00580FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0058001B
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00580000
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 0047008E
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 004700DF
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 004700CE
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00470FD1
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00470F8A
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00470051
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00470062
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 004700F0
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00470FC0
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 004700A9
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00470011
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00470000
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00470FAF
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 0047007D
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00470022
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00470F54
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00470F6F
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00590FEF
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00590F7A
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00590F8B
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00590FC1
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00590FA6
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00590FDE
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 005A0000
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 005A0FC7
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 005A0FA2
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 005A004E
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 005A0011
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 005A0F91
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 005A003D
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 005A002C
.text C:\Windows\System32\svchost.exe[1512] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 005B0FE5
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00AB0000
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00AB0FC0
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00AB0FE5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00AA009E
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00AA0F35
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00AA0F46
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00AA0036
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00AA0F97
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00AA0065
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00AA0FA8
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 00AA00E5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00AA0FD4
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00AA00B9
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00AA0FE5
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00AA0000
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00AA0FC3
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00AA0F6B
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 771EDBA8 3 Bytes JMP 00AA001B
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA + 4 771EDBAC 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!WinExec 771EEDB2 3 Bytes JMP 00AA00CA
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!WinExec + 4 771EEDB6 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 771EFD51 3 Bytes JMP 00AA0F86
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtectEx + 4 771EFD55 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00AD0FEF
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00AD0049
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00AD0038
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00AD000C
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 00AD001D
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00AD0FD2
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00AE0FEF
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00AE0025
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00AE0F8D
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00AE0F9E
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00AE000A
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00AE004A
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00AE0FB9
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00AE0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 02210000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 02210022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 02210011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 02200079
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 022000B9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 0220009E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 02200036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 02200F86
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 02200FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 02200F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 022000D4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 02200FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 02200F35
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0220001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0220000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 02200FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 02200F50
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 02200FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 02200F24
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 02200F6B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_open 75F77E48 5 Bytes JMP 0222000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 02220FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!system 75FAB16F 5 Bytes JMP 02220FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 0222003A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 02220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 0222001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 01AD0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 01AD0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 01AD0076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 01AD005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 01AD0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 01AD0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 01AD0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 01AD002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1772] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 02230FEF
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 002E0FDE
.text C:\Windows\system32\svchost.exe[2264] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00280F6B
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 002800DB
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 002800CA
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00280FC3
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 0028006F
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 0028004A
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00280F97
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 002800F6
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 0028002F
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 002800AF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00280FB2
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00280F7C
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00280FD4
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00280F50
.text C:\Windows\system32\svchost.exe[2264] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00280080
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_open 75F77E48 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 002F0F9A
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!system 75FAB16F 5 Bytes JMP 002F0FAB
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 002F0FC6
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 002F001B
.text C:\Windows\system32\svchost.exe[2264] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 002F0FD7
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00120FE5
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00120025
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00120F94
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00120036
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00120FCA
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00120F79
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00120FAF
.text C:\Windows\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00120000
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00400FE5
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0040000A
.text C:\Windows\Explorer.EXE[2852] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00400FD4
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 003F008A
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 003F00CA
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 003F0F35
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 003F0FCA
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 003F005B
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 003F0F9E
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 003F0F83
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 003F0F1A
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 003F0FB9
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 003F0F50
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 003F0FDB
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 003F0000
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 003F0040
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 003F0F61
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 003F0011
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 003F00A5
.text C:\Windows\Explorer.EXE[2852] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 003F0F72
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 003E000A
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 003E0FA8
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 003E002F
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 003E0F8D
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 003E0FE5
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 003E0F68
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 003E0FC3
.text C:\Windows\Explorer.EXE[2852] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 003E0FD4
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_open 75F77E48 5 Bytes JMP 003D0000
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 003D0F90
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!system 75FAB16F 5 Bytes JMP 003D0025
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 003D0FC6
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 003D0FAB
.text C:\Windows\Explorer.EXE[2852] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 003D0FE3
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenW 76029197 5 Bytes JMP 00430011
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenA 7602F18E 5 Bytes JMP 00430000
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenUrlA 760430E9 5 Bytes JMP 00430FD1
.text C:\Windows\Explorer.EXE[2852] WININET.dll!InternetOpenUrlW 7607BF94 5 Bytes JMP 00430022
.text C:\Windows\Explorer.EXE[2852] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 042A0FEF
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[4176] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010F50
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 000100A5
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00010F06
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F83
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010FAF
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010F9E
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100B6
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010040
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010F35
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010F61
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 0001008A
.text C:\Windows\system32\svchost.exe[4176] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_open 75F77E48 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 000B0029
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!system 75FAB16F 5 Bytes JMP 000B0F9E
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 000B0FCD
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 000B0018
.text C:\Windows\system32\svchost.exe[4176] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 000B0FDE
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00300FEF
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00300040
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00300065
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00300FC3
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00300014
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00300076
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 0030002F
.text C:\Windows\system32\svchost.exe[4176] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00300FDE
.text C:\Windows\system32\svchost.exe[4176] WS2_32.dll!socket 777C3EB8 5 Bytes JMP 0090000A
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00040FE5
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 0004000A
.text C:\Windows\system32\svchost.exe[5276] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00040FD4
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010095
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 000100DF
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 000100C4
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010FDB
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F80
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010058
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100F0
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010FC0
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010F5B
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00010FA5
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010084
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 0001002C
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 00010F4A
.text C:\Windows\system32\svchost.exe[5276] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010069
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_open 75F77E48 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 00070058
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!system 75FAB16F 5 Bytes JMP 00070FCD
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 00070022
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 0007003D
.text C:\Windows\system32\svchost.exe[5276] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 0008001B
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00080F94
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00080036
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 00080FDB
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00080051
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[5276] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00080FCA
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtCreateFile 776355C8 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtCreateProcess 77635698 5 Bytes JMP 00040FCD
.text C:\Windows\system32\wuauclt.exe[5656] ntdll.dll!NtProtectVirtualMemory 77635F18 5 Bytes JMP 00040FDE
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetStartupInfoA 77161E10 5 Bytes JMP 00010F3C
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00010F10
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00010F21
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateNamedPipeW 77192D47 5 Bytes JMP 00010036
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!VirtualProtect 771A2BCD 5 Bytes JMP 00010F79
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryExA 771A4466 5 Bytes JMP 00010F9B
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryExW 771A5079 5 Bytes JMP 00010F8A
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetProcAddress 771ACC94 5 Bytes JMP 000100C0
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryA 771ADC65 5 Bytes JMP 00010FC0
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!GetStartupInfoW 771AE2DD 5 Bytes JMP 00010080
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateFileW 771AE8A5 5 Bytes JMP 0001000A
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateFileA 771AEA61 5 Bytes JMP 00010FEF
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!LoadLibraryW 771AEF42 5 Bytes JMP 00010047
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreatePipe 771C12A6 5 Bytes JMP 00010F57
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!CreateNamedPipeA 771EDBA8 5 Bytes JMP 00010025
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!WinExec 771EEDB2 5 Bytes JMP 0001009B
.text C:\Windows\system32\wuauclt.exe[5656] kernel32.dll!VirtualProtectEx 771EFD51 5 Bytes JMP 00010F68
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_open 75F77E48 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wsystem 75FAB04F 5 Bytes JMP 000F0042
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!system 75FAB16F 5 Bytes JMP 000F0027
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_creat 75FAED29 5 Bytes JMP 000F0FB7
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wcreat 75FB038E 5 Bytes JMP 000F000C
.text C:\Windows\system32\wuauclt.exe[5656] msvcrt.dll!_wopen 75FB0570 5 Bytes JMP 000F0FDE
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyA 76FCCC15 5 Bytes JMP 0010000A
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyA 76FCCD01 5 Bytes JMP 00100FA5
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyExA 76FD1469 5 Bytes JMP 00100036
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyW 76FD1514 5 Bytes JMP 00100F94
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyW 76FD2459 5 Bytes JMP 0010001B
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegCreateKeyExW 76FD40FE 5 Bytes JMP 00100047
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyExW 76FD468D 5 Bytes JMP 00100FC0
.text C:\Windows\system32\wuauclt.exe[5656] ADVAPI32.dll!RegOpenKeyExA 76FD4907 5 Bytes JMP 00100FDB

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[1872] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [010CABE0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743C2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743A5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743A56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743C24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743B8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743B4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743B506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743B5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [743B6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743B826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743B87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743B901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743BE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2852] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [743B4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000006e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00116773b757
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00116773b757 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB24790$\1826688055 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\@ 2048 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\bckfg.tmp 845 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\cfg.ini 199 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\keywords 281 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\L 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\L\xadqgnnk 74752 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U 0 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB24790$\1826688055\U\80000032.@ 97792 bytes
File C:\Windows\$NtUninstallKB24790$\2570630969 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435095 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 08 January 2012 - 12:10 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users