1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Possible IE Virus Running Vista

Discussion in 'Malware and Virus Removal Archive' started by brimis, 2009/05/27.

  1. 2009/05/27
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    [Active] Possible IE Virus Running Vista

    I'm having a problem tracking down a problem with my daughter's laptop, which is a Dell 1525 running Vista Home. When I launch IE, instead of only one window opening, hundreds of IE windows open and they don't stop. I ran McAfee and no viruses were found. Any assistance would be appreciated.
    Thank you.
     
    brimis,
    #1
  2. 2009/05/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under Configuration and Preferences, click the Preferences button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Scan for tracking cookies.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * Back on the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
    NOTE: Tracking cookies may be omitted from the log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/05/27
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    Thank you so much. I'll run it now and keep you posted.
    Thank you again.
     
    brimis,
    #3
  5. 2009/05/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
    broni,
    #4
  6. 2009/05/28
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    Results from all scans. Pleasae note, I palced the scans in 2 posts due to the size.
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/27/2009 at 10:38 PM

    Application Version : 4.26.1004

    Core Rules Database Version : 3910
    Trace Rules Database Version: 1854

    Scan type : Quick Scan
    Total Scan Time : 00:20:39

    Memory items scanned : 308
    Memory threats detected : 0
    Registry items scanned : 464
    Registry threats detected : 0
    File items scanned : 72095
    File threats detected : 5

    Adware.Tracking Cookie
    C:\Users\britni6\AppData\Roaming\Microsoft\Windows\Cookies\britni6@ads.pointroll[1].txt
    C:\Users\britni6\AppData\Roaming\Microsoft\Windows\Cookies\britni6@media6degrees[1].txt
    C:\Users\britni6\AppData\Roaming\Microsoft\Windows\Cookies\britni6@atdmt[1].txt
    C:\Users\britni6\AppData\Roaming\Microsoft\Windows\Cookies\britni6@windowsmedia[1].txt
    C:\Users\britni6\AppData\Roaming\Microsoft\Windows\Cookies\britni6@ad.yieldmanager[2].txt

    mbam-log 2009-05-28
    Malwarebytes' Anti-Malware 1.37
    Database version: 2186
    Windows 6.0.6001 Service Pack 1

    5/28/2009 8:01:29 AM
    mbam-log-2009-05-28 (08-01-29).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 196923
    Time elapsed: 1 hour(s), 22 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    brimis,
    #5
  7. 2009/05/28
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:19:05 AM, on 5/28/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18226)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Dell\DellDock\DellDock.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Windows\OEM02Mon.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell V305\dldtmon.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Dell V305\dldtMsdMon.exe
    C:\Program Files\Internet Explorer\IEUser.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe "
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe "
    O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe "
    O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe "
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dldtCATSCustConnectService - Unknown owner - C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe
    O23 - Service: dldt_device - - C:\Windows\system32\dldtcoms.exe
    O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8238 bytes
     
    brimis,
    #6
  8. 2009/05/28
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    Here's the final file in two posts.
    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-05-28 10:59:24
    Windows 6.0.6001 Service Pack 1


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8E7C49BE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8E7C4958]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8E7C496C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8E7C49FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8E7C4A3F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8E7C4930]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8E7C4944]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8E7C49D2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8E7C4A67]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8E7C4A53]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8E7C49AA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8E7C4996]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8E7C4A2B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8E7C4A12]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8E7C49E8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8E7C4982]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 81C4218C 5 Bytes JMP 8E7C49EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 81DDC17C 5 Bytes JMP 8E7C4A43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateUserProcess 81DE3DCA 5 Bytes JMP 8E7C4986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 81DFDF80 5 Bytes JMP 8E7C4A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 81E1D1CA 5 Bytes JMP 8E7C4948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 81E2CB06 5 Bytes JMP 8E7C4934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 81E3F71E 7 Bytes JMP 8E7C4A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 81E3FD75 5 Bytes JMP 8E7C4A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 81E41F86 5 Bytes JMP 8E7C49C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 81E4F644 5 Bytes JMP 8E7C499A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 81E5189E 7 Bytes JMP 8E7C49D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRestoreKey 81E70402 5 Bytes JMP 8E7C4A57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwReplaceKey 81E7144E 5 Bytes JMP 8E7C4A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 81EAF171 5 Bytes JMP 8E7C495C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EAF1BC 7 Bytes JMP 8E7C4970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 81EAFC7B 5 Bytes JMP 8E7C49AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[500] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[500] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00910F5F
    .text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 0091009B
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 009100DB
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessA 77291C36 1 Byte [E9]
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00910F3A
    .text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00910054
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00910FA8
    .text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00910F7A
    .text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00910F97
    .text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 0091006F
    .text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00910043
    .text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 0091001E
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00910080
    .text C:\Windows\system32\services.exe[664] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00910F1F
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00910FD4
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00910FEF
    .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00910FC3
    .text C:\Windows\system32\services.exe[664] kernel32.dll!WinExec 773254FF 5 Bytes JMP 009100C0
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00930F9E
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00930FD4
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00930000
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00930FB9
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00930F8D
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00930025
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00930FEF
    .text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00930040
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00920F9C
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!system 773C8B63 5 Bytes JMP 00920FAD
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00920027
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00920FE3
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00920FD2
    .text C:\Windows\system32\services.exe[664] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00920000
    .text C:\Windows\system32\services.exe[664] WS2_32.dll!socket 777A36D1 5 Bytes JMP 009D0000
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 0090008A
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00900F4E
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 009000C0
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00900F29
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00900F8B
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00900FDE
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00900065
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00900FCD
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00900F70
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00900FB2
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00900054
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00900F5F
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00900F18
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00900FEF
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 0090000A
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00900025
    .text C:\Windows\system32\lsass.exe[676] kernel32.dll!WinExec 773254FF 5 Bytes JMP 009000A5
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 0092006C
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00920051
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00920FE5
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00920FCA
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00920FB9
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00920011
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00920000
    .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00920036
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00910049
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!system 773C8B63 5 Bytes JMP 00910FC8
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 0091002E
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 0091000C
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00910FD9
    .text C:\Windows\system32\lsass.exe[676] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 0091001D
    .text C:\Windows\system32\lsass.exe[676] WS2_32.dll!socket 777A36D1 5 Bytes JMP 01400000
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 000C00E4
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 000C0F9E
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 000C012B
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 000C0110
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 000C0093
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 000C002F
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 772B30C3 3 Bytes JMP 000C006C
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW + 4 772B30C7 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 000C0FAF
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 000C00AE
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 000C005B
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 000C0040
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 000C00C9
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 000C0146
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 000C0FEF
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 000C000A
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 000C0FDE
    .text C:\Windows\system32\svchost.exe[876] kernel32.dll!WinExec 773254FF 5 Bytes JMP 000C00FF
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 000D0064
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!system 773C8B63 5 Bytes JMP 000D0053
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 000D0FE3
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 000D0000
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 000D0038
    .text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 000D001D
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 000E004A
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 000E0FB9
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 000E0000
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 000E0FA8
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 000E0F97
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 000E0FE5
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 000E0011
    .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 000E0FD4
    .text C:\Windows\system32\svchost.exe[876] WS2_32.dll!socket 777A36D1 5 Bytes JMP 00200FE5
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 002100B3
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 002100A2
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 002100FA
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 002100E9
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00210F81
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00210FC0
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00210F9E
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00210FAF
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 0021006C
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 0021005B
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00210036
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00210087
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00210F48
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00210000
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00210FEF
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 0021001B
    .text C:\Windows\system32\svchost.exe[936] kernel32.dll!WinExec 773254FF 5 Bytes JMP 002100CE
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00220F81
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!system 773C8B63 5 Bytes JMP 0022000C
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00220FC1
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00220FE3
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00220F9C
    .text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00220FD2
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00230051
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00230FC3
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00230FEF
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00230040
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00230F9E
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 0023002F
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 0023000A
    .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00230FDE
    .text C:\Windows\system32\svchost.exe[936] WS2_32.dll!socket 777A36D1 5 Bytes JMP 0028000A
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 012E0F33
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 012E0F4E
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 012E00CA
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 012E00AF
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 012E0F81
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 012E0025
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 012E0F9E
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 012E0047
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 012E0F70
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 012E0FAF
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 012E0036
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 012E0F5F
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 012E0F18
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 012E0FEF
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 012E0000
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 012E0FDE
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!WinExec 773254FF 5 Bytes JMP 012E009E
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 012F005F
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!system 773C8B63 5 Bytes JMP 012F0FD4
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 012F0029
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 012F0000
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 012F0044
    .text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 012F0FEF
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 0130005B
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 01300FB9
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 0130000A
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 01300040
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 01300F9E
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 0130001B
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 01300FE5
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 01300FCA
    .text C:\Windows\System32\svchost.exe[980] WS2_32.dll!socket 777A36D1 5 Bytes JMP 01DD0FEF
    .text C:\Windows\System32\svchost.exe[980] wininet.dll!InternetOpenA 75F703DD 5 Bytes JMP 0125000A
    .text C:\Windows\System32\svchost.exe[980] wininet.dll!InternetOpenUrlA 75F720A3 5 Bytes JMP 01250FD4
    .text C:\Windows\System32\svchost.exe[980] wininet.dll!InternetOpenW 75F72A58 5 Bytes JMP 01250FEF
    .text C:\Windows\System32\svchost.exe[980] wininet.dll!InternetOpenUrlW 75FBB019 5 Bytes JMP 01250FAF
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 000A0F17
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 000A0067
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 000A0EE1
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 000A0F06
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 000A0056
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 000A0FAF
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 000A0F72
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 000A0F9E
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 000A0F61
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 000A0F8D
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 000A001B
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 000A0F3C
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 000A0ED0
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 000A0000
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 000A0FE5
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 000A0FC0
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!WinExec 773254FF 5 Bytes JMP 000A0082
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00150FA1
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!system 773C8B63 5 Bytes JMP 00150FBC
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00150FD7
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00150000
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 0015002C
    .text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00150011
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00160051
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00160FC3
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00160000
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00160040
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00160F94
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00160FEF
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00160025
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00160FD4
    .text C:\Windows\System32\svchost.exe[1068] WS2_32.dll!socket 777A36D1 5 Bytes JMP 001B0FEF
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00A800AC
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00A80091
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 00A800CE
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00A80F37
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00A80F81
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00A80FCA
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00A80F9E
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00A80FAF
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00A80080
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00A8005B
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00A80036
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00A80F70
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00A800E9
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00A80011
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00A80000
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00A80FDB
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WinExec 773254FF 5 Bytes JMP 00A800BD
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00A90064
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!system 773C8B63 5 Bytes JMP 00A90053
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00A90027
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00A90FEF
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00A90042
    .text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00A9000C
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00FB0051
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00FB0FB9
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00FB0000
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00FB0036
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00FB006C
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00FB0025
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 776F3CB0 3 Bytes JMP 00FB0FE5
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW + 4 776F3CB4 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 776FF09D 3 Bytes JMP 00FB0FCA
    .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW + 4 776FF0A1 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1092] WS2_32.dll!socket 777A36D1 5 Bytes JMP 01200000
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 01050F83
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 01050F94
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 01050F68
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 010500F5
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 010500A4
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 01050FE5
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 01050093
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW
     
    brimis,
    #7
  9. 2009/05/28
    brimis

    brimis Well-Known Member Thread Starter

    Joined:
    2006/09/13
    Messages:
    184
    Likes Received:
    2
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 010500B5
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 01050076
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 01050FD4
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 01050FA5
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 01050F4D
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 01050011
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 01050000
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 01050036
    .text C:\Windows\system32\svchost.exe[1112] kernel32.dll!WinExec 773254FF 5 Bytes JMP 010500E4
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 010A002C
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!system 773C8B63 5 Bytes JMP 010A0FA1
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 010A0FCD
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 010A0FEF
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 010A0FB2
    .text C:\Windows\system32\svchost.exe[1112] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 010A0FDE
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 0117008E
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 01170062
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 01170000
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 0117007D
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 011700B3
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 01170040
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 0117001B
    .text C:\Windows\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 01170051
    .text C:\Windows\system32\svchost.exe[1112] WS2_32.dll!socket 777A36D1 5 Bytes JMP 0118000A
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00A20F6F
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00A200B5
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 00A20F32
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00A20F43
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00A20089
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00A20033
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00A20FA5
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00A20058
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00A2009A
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00A20FC0
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00A20FD1
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00A20F8A
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00A200E4
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00A20011
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00A20000
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00A20022
    .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!WinExec 773254FF 5 Bytes JMP 00A20F5E
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00DD0F9C
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!system 773C8B63 5 Bytes JMP 00DD0FB7
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00DD0FD2
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00DD0FE3
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00DD0027
    .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00DD0000
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00DE0F9E
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00DE0FC0
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00DE0FEF
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00DE0FAF
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00DE0F79
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00DE001B
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00DE000A
    .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00DE002C
    .text C:\Windows\system32\svchost.exe[1296] WS2_32.dll!socket 777A36D1 5 Bytes JMP 00DF0000
    .text C:\Windows\system32\svchost.exe[1296] WinInet.dll!InternetOpenA 75F703DD 5 Bytes JMP 004B0000
    .text C:\Windows\system32\svchost.exe[1296] WinInet.dll!InternetOpenUrlA 75F720A3 5 Bytes JMP 004B0025
    .text C:\Windows\system32\svchost.exe[1296] WinInet.dll!InternetOpenW 75F72A58 5 Bytes JMP 004B0FEF
    .text C:\Windows\system32\svchost.exe[1296] WinInet.dll!InternetOpenUrlW 75FBB019 5 Bytes JMP 004B0FD4
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 004900A4
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00490F5E
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 004900DA
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00490F4D
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00490FA5
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00490047
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00490FB6
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00490058
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00490F8A
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00490073
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00490FD1
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00490F6F
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00490F28
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00490011
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00490000
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 0049002C
    .text C:\Windows\system32\svchost.exe[1504] kernel32.dll!WinExec 773254FF 5 Bytes JMP 004900C9
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 004B0FAF
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!system 773C8B63 5 Bytes JMP 004B003A
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 004B0FE5
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 004B0000
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 004B0FCA
    .text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 004B0029
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 004C0087
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 004C0062
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 004C000A
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 004C0FE5
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 004C00A2
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 004C0036
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 004C001B
    .text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 004C0047
    .text C:\Windows\system32\svchost.exe[1504] WS2_32.dll!socket 777A36D1 5 Bytes JMP 00510FEF
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 003600BF
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00360F79
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 003600FF
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00360F5E
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00360089
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00360FC0
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00360FAF
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00360047
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00360F94
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00360062
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 0036002C
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 0036009A
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00360110
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 0036000A
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00360FEF
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 0036001B
    .text C:\Windows\system32\svchost.exe[1788] kernel32.dll!WinExec 773254FF 5 Bytes JMP 003600DA
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 003B0FAF
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!system 773C8B63 5 Bytes JMP 003B0044
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 003B0FDE
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 003B000C
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 003B0029
    .text C:\Windows\system32\svchost.exe[1788] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 003B0FEF
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00490F9E
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 0049001B
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00490FEF
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00490040
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00490F83
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00490FCA
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 0049000A
    .text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00490FB9
    .text C:\Windows\system32\svchost.exe[1788] WS2_32.dll!socket 777A36D1 5 Bytes JMP 004A0000
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 004C0F4A
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 004C0090
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 004C00B5
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 004C0F1E
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 004C005A
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 004C002C
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 004C0049
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 004C0FA5
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 004C0F65
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 004C0F80
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 004C0FB6
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 004C0075
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 004C00D0
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 004C0FE5
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 004C0000
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 004C001B
    .text C:\Windows\system32\svchost.exe[2096] kernel32.dll!WinExec 773254FF 5 Bytes JMP 004C0F39
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 004D003B
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!system 773C8B63 5 Bytes JMP 004D0FB0
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 004D000C
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 004D0FE3
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 004D0FC1
    .text C:\Windows\system32\svchost.exe[2096] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 004D0FD2
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 004E0F9B
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 004E0036
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 004E000A
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 004E0047
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 004E0F8A
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 004E001B
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 004E0FE5
    .text C:\Windows\system32\svchost.exe[2096] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 004E0FCA
    .text C:\Windows\system32\svchost.exe[2096] WS2_32.dll!socket 777A36D1 5 Bytes JMP 004F0000
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00260F43
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00260F54
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 002600AE
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00260F17
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00260064
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 00260FDB
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00260F80
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00260FA5
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00260F6F
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 0026003D
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00260FC0
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 0026007F
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 002600BF
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 0026001B
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 0026000A
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 0026002C
    .text C:\Windows\system32\svchost.exe[2304] kernel32.dll!WinExec 773254FF 5 Bytes JMP 00260F32
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00480049
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!system 773C8B63 5 Bytes JMP 00480FC8
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 0048002E
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 00480000
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00480FE3
    .text C:\Windows\system32\svchost.exe[2304] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 0048001D
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 004D0047
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 004D0FC0
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 004D0000
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 004D0FAF
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 004D0062
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 004D002C
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 004D001B
    .text C:\Windows\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 004D0FD1
    .text C:\Windows\system32\svchost.exe[2304] WS2_32.dll!socket 777A36D1 5 Bytes JMP 004E0000
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00050F43
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 00050F5E
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 00050F17
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00050F28
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00050FA5
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 0005002C
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00050073
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00050047
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00050F8A
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00050062
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 00050FC0
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00050F79
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 000500C9
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00050FE5
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00050000
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00050011
    .text C:\Windows\System32\svchost.exe[2356] kernel32.dll!WinExec 773254FF 5 Bytes JMP 000500A4
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00070FAD
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!system 773C8B63 5 Bytes JMP 00070042
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00070027
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 0007000C
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00070FD2
    .text C:\Windows\System32\svchost.exe[2356] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00070FEF
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00080F9E
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00080FAF
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00080000
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00080036
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00080F83
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00080FDB
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00080011
    .text C:\Windows\System32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00080FC0
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!GetStartupInfoW 77291929 5 Bytes JMP 00010F21
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!GetStartupInfoA 772919C9 5 Bytes JMP 0001005D
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateProcessW 77291C01 5 Bytes JMP 000100A7
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateProcessA 77291C36 5 Bytes JMP 00010082
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!VirtualProtect 77291DD1 5 Bytes JMP 00010F68
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateNamedPipeW 77295C44 5 Bytes JMP 0001001B
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!LoadLibraryExW 772B30C3 5 Bytes JMP 00010F79
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!LoadLibraryW 772B361F 5 Bytes JMP 00010FA5
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!VirtualProtectEx 772B8D7E 5 Bytes JMP 00010F4D
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!LoadLibraryExA 772B9469 5 Bytes JMP 00010F94
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!LoadLibraryA 772B9491 5 Bytes JMP 0001002C
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreatePipe 772C0284 5 Bytes JMP 00010F3C
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!GetProcAddress 772DB8B6 5 Bytes JMP 00010EF5
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateFileW 772DCC4E 5 Bytes JMP 00010FE5
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateFileA 772DCF71 5 Bytes JMP 00010000
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!CreateNamedPipeA 7732430E 5 Bytes JMP 00010FCA
    .text C:\Windows\Explorer.EXE[3268] kernel32.dll!WinExec 773254FF 5 Bytes JMP 00010F06
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegCreateKeyExA 776DB5E7 5 Bytes JMP 00050065
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegCreateKeyA 776DB8AE 5 Bytes JMP 00050040
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegOpenKeyA 776E0BF5 5 Bytes JMP 00050000
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegCreateKeyW 776EB83D 5 Bytes JMP 00050FB9
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegCreateKeyExW 776EBCE1 5 Bytes JMP 00050FA8
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegOpenKeyExA 776ED4E8 5 Bytes JMP 00050FEF
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegOpenKeyW 776F3CB0 5 Bytes JMP 00050025
    .text C:\Windows\Explorer.EXE[3268] ADVAPI32.dll!RegOpenKeyExW 776FF09D 5 Bytes JMP 00050FD4
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!_wsystem 773C8A47 5 Bytes JMP 00060FA8
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!system 773C8B63 5 Bytes JMP 00060FC3
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!_creat 773CC6F1 5 Bytes JMP 00060FDE
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!_open 773CDA7E 5 Bytes JMP 0006000C
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!_wcreat 773CDC9E 5 Bytes JMP 00060033
    .text C:\Windows\Explorer.EXE[3268] msvcrt.dll!_wopen 773CDE79 5 Bytes JMP 00060FEF
    .text C:\Windows\Explorer.EXE[3268] WS2_32.dll!socket 777A36D1 5 Bytes JMP 03410000
    .text C:\Windows\Explorer.EXE[3268] WININET.dll!InternetOpenA 75F703DD 5 Bytes JMP 03440FEF
    .text C:\Windows\Explorer.EXE[3268] WININET.dll!InternetOpenUrlA 75F720A3 5 Bytes JMP 03440FB9
    .text C:\Windows\Explorer.EXE[3268] WININET.dll!InternetOpenW 75F72A58 5 Bytes JMP 03440FCA
    .text C:\Windows\Explorer.EXE[3268] WININET.dll!InternetOpenUrlW 75FBB019 5 Bytes JMP 03440F94

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
    brimis,
    #8
  10. 2009/05/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    So far, I don't see anything suspicious.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.
     
    broni,
    #9

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...