GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-10 04:46:19 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9160310AS rev.0303 Running: rv99mkge.exe; Driver: C:\DOCUME~1\nowy\USTAWI~1\Temp\fwldqpow.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF72AEA50] SSDT sptd.sys ZwEnumerateKey [0xF72E2FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF72E338C] SSDT sptd.sys ZwOpenKey [0xF72AEA30] SSDT sptd.sys ZwQueryKey [0xF72E3464] SSDT sptd.sys ZwQueryValueKey [0xF72E32E4] SSDT sptd.sys ZwSetValueKey [0xF72E34F6] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70DB INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AA11A16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AA119FC2 INT 0x62 ? 8A6F4CC8 INT 0x63 ? 8A415CC8 INT 0x83 ? 8A6F4CC8 INT 0x94 ? 8A415CC8 INT 0xA4 ? 8A415CC8 Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF705E23E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF705E090] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF705E0A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF705E110] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF705E13C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF705E1C0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF705E27E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF705E1EC] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF705E054] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF705E068] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF705E252] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF705E17E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF705E126] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF705E214] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF705E200] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF705E0CE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF705E0BA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF705E2AD] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF705E1D6] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF705E294] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF705E268] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C80 80504538 4 Bytes JMP 91B0F72A .text ntkrnlpa.exe!ZwCallbackReturn + 2DB8 80504670 4 Bytes [30, EA, 2A, F7] {XOR DL, CH; SUB DH, BH} .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF736BD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text ACPI.sys F722C300 24 Bytes [00, 00, 00, 00, 00, 00, 8B, ...] .text ACPI.sys F722C319 7 Bytes [00, 6A, 0C, E8, AD, 13, 01] .text ACPI.sys F722C321 4 Bytes [56, 68, CA, F6] .text ACPI.sys F722C327 3 Bytes [68, 5B, 2A] .text ACPI.sys F722C339 7 Bytes [56, 6A, 0B, E8, 8D, 13, 01] .text ... .text C:\WINDOWS\system32\drivers\ACPI.sys section is writeable [0xF722C300, 0x1AF00, 0xE8000020] .rsrc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF7255F00, 0x1BF8, 0xE8000040] .reloc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF7257B00, 0x2506, 0xE8000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF60F8000, 0x189F82, 0xE8000020] .text USBPORT.SYS!DllUnload F5FDB8AC 5 Bytes JMP 8A4151D8 .text albtdf7r.SYS F5E02306 74 Bytes [00, 00, 00, 40, 03, 00, 40, ...] .text albtdf7r.SYS F5E02351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text albtdf7r.SYS F5E023A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text albtdf7r.SYS F5E023B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...] .text albtdf7r.SYS F5E023D7 1 Byte [00] .text ... .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xA9F86000, 0x49379, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xA9FDC224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xA9FDC000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA9D75400, 0x6EB98, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9DFFC20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9DFFC20] .protect˙˙˙˙hardlockunknown last code section [0xA9DFFA00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9DFFA00, 0x50CA, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02660FEF .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02660F63 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02660F7E .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02660062 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02660051 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0266002C .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0266009A .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0266007D .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026600AB .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02660F1C .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026600C6 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02660FAF .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02660FCA .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02660F52 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02660011 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02660000 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02660F2D .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 02610FD1 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 02610062 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0261002C .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0261001B .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 02610051 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 0261000A .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 02610FA5 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [82, 8A] .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 02610FC0 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 02600F75 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!system 77C193C7 5 Bytes JMP 02600F9A .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 02600FC6 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_open 77C1F566 5 Bytes JMP 02600FEF .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 02600FAB .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 02600000 .text C:\WINDOWS\System32\svchost.exe[212] WS2_32.dll!socket 71A54211 5 Bytes JMP 01DA0000 .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 01020000 .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 0102001B .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 01020036 .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 01020FDB .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A000A .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0FAD .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0FBE .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0098 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0087 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0051 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0F64 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F75 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A00D1 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0F38 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A0F13 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A006C .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FEF .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F9C .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0040 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0025 .text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F49 .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 0069002F .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00690080 .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00690FDE .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0069000A .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00690065 .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00690FEF .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00690FB9 .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [8A, 88] .text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00690040 .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00680FD4 .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!system 77C193C7 5 Bytes JMP 0068005F .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00680033 .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00680000 .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00680044 .text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00680FEF .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013D0000 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013D00A9 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013D0FAA .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013D0084 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013D0069 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013D0FD1 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013D0F7E .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013D00C6 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013D00F2 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013D00E1 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013D0103 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013D0058 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013D001B .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013D0F8F .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013D0047 .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013D002C .text C:\WINDOWS\Explorer.EXE[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013D0F63 .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00D80FD4 .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00D80F8D .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00D80025 .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00D80FEF .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00D80F9E .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00D80000 .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00D80040 .text C:\WINDOWS\Explorer.EXE[964] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00D80FB9 .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CE0042 .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CE0FAD .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CE001D .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CE0000 .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CE0FC8 .text C:\WINDOWS\Explorer.EXE[964] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CE0FE3 .text C:\WINDOWS\Explorer.EXE[964] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00CC0000 .text C:\WINDOWS\Explorer.EXE[964] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00CC0FE5 .text C:\WINDOWS\Explorer.EXE[964] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00CC0FCA .text C:\WINDOWS\Explorer.EXE[964] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00CC001B .text C:\WINDOWS\Explorer.EXE[964] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CD0000 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC007D .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC006C .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F9E .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC005B .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC004A .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F52 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F63 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F26 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00BF .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00DA .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FC3 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC000A .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC008E .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FDE .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0025 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F37 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00BB003D .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00BB0FBD .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00BB0022 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00BB0011 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00BB007A .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00BB0000 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00BB005F .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00BB004E .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00BA004C .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C193C7 5 Bytes JMP 00BA0FB7 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00BA0027 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00BA0FEF .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00BA0FC8 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00BA0000 .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71A54211 5 Bytes JMP 00B90FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F70 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F8B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0065 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED002F .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED0F4E .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED008A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00E7 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED00C2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED0F33 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED004A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0F5F .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0FC3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED00B1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00EC0FC3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00EC0F7C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00EC000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00EC0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00EC0039 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00EC0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00EC0FA1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [0D, 89] .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00EC0FB2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EB0FB7 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EB0042 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EB0FE3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EB0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EB0FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EB001D .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1284] WS2_32.dll!socket 71A54211 5 Bytes JMP 00EA0000 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009B0000 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009B0F7C .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009B0071 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B0F8D .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009B0F9E .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009B004A .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009B0F44 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009B008C .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009B0EFD .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009B0F18 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009B0EEC .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009B0FC3 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009B0025 .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009B0F6B .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009B0FDE .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009B0FEF .text C:\WINDOWS\system32\services.exe[1608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009B0F33 .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 009A002C .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 009A0062 .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 009A0FDB .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 009A001B .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 009A0047 .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 009A0000 .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 009A0F9B .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [BB, 88] .text C:\WINDOWS\system32\services.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 009A0FC0 .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00990047 .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!system 77C193C7 5 Bytes JMP 00990FB2 .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00990FCD .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00990FEF .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0099002C .text C:\WINDOWS\system32\services.exe[1608] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00990FDE .text C:\WINDOWS\system32\services.exe[1608] WS2_32.dll!socket 71A54211 5 Bytes JMP 0098000A .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00F92 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B0007D .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0006C .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00FB9 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B0004A .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F81 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B000C9 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B000FF .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000E4 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F4B .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B0005B .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B0000A .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B000AC .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FD4 .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B0001B .text C:\WINDOWS\system32\lsass.exe[1620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F70 .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00AF002C .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00AF0098 .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00AF001B .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00AF0FEF .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00AF007D .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00AF000A .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00AF0062 .text C:\WINDOWS\system32\lsass.exe[1620] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00AF0051 .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00AE0FD4 .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!system 77C193C7 5 Bytes JMP 00AE005F .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00AE0FE5 .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00AE000C .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00AE0044 .text C:\WINDOWS\system32\lsass.exe[1620] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00AE0029 .text C:\WINDOWS\system32\lsass.exe[1620] WS2_32.dll!socket 71A54211 5 Bytes JMP 00AD0FEF .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F6B .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F7C .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F8D .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FA8 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FB9 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0091 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F49 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F1D .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00B6 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F0C .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0040 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F5A .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0025 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FD4 .text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F38 .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00FD003D .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00FD0F8A .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00FD002C .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00FD001B .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00FD0F9B .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00FD0000 .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00FD0FB6 .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [1E, 89] .text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00FD0FC7 .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00FC0F92 .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!system 77C193C7 5 Bytes JMP 00FC001D .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00FC0FC8 .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00FC0FEF .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00FC0FAD .text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00FC000C .text C:\WINDOWS\system32\svchost.exe[1824] WS2_32.dll!socket 71A54211 5 Bytes JMP 00FB0000 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B5000A .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50FA8 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50093 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50FB9 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50FCA .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50051 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B500E4 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B500D3 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B500FF .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50F66 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50F4B .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B5006C .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B5001B .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B500C2 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FE5 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B50036 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50F81 .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00B40014 .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00B40F7C .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00B40FB9 .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00B40FDE .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00B40F8D .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00B40FEF .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00B40FA8 .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [D5, 88] {AAD 0x88} .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00B40025 .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00B30042 .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!system 77C193C7 5 Bytes JMP 00B30FB7 .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00B3000C .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00B30FEF .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00B30031 .text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00B30FD2 .text C:\WINDOWS\system32\svchost.exe[1904] WS2_32.dll!socket 71A54211 5 Bytes JMP 00B20000 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F1F .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60F3A .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60F57 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60014 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60F83 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60EF1 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60039 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60EC2 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F6005B .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60E9D .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60F72 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FD4 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F0E .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FA8 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60FB9 .text C:\WINDOWS\system32\svchost.exe[2860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F6004A .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F50FD4 .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F50FA8 .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F5001B .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F5000A .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F50065 .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F50FEF .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F5004A .text C:\WINDOWS\system32\svchost.exe[2860] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F50FC3 .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F40047 .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F40FB2 .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F40FCD .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F40000 .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F4002C .text C:\WINDOWS\system32\svchost.exe[2860] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F40011 .text C:\WINDOWS\system32\svchost.exe[2860] WS2_32.dll!socket 71A54211 5 Bytes JMP 00F30000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 5CE60000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 5CE60FA8 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 5CE6009D .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!LoadLibraryExW 7C801AF5 4 Bytes JMP 5CE60082 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 5CE60FB9 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 5CE60FE5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 5CE60F77 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 5CE600C9 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 5CE600F5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 5CE600DA .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 5CE60110 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 5CE60FCA .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 5CE6001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 5CE600B8 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 5CE60047 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 5CE60036 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 5CE60F5C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 5CE40F9E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!system 77C193C7 5 Bytes JMP 5CE40029 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 5CE40FDE .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!_open 77C1F566 5 Bytes JMP 5CE40FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 5CE40FB9 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 5CE4000C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 5CE5001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 5CE50073 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 5CE50FCA .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 5CE50000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 5CE50062 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 5CE50FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 5CE50047 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 5CE5002C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3040] WS2_32.dll!socket 71A54211 5 Bytes JMP 5CE30000 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01210C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01447B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01447B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01213FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 0218ED8F .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 0219031F .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 0219015D .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 0218FDD3 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 02190082 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 02190238 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 0218FFB6 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 021904EA .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01447AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 0218FEEA .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 02190406 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 021908AA .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 02190977 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 0218E8FB .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 0218FD2C .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!send 71A54C27 5 Bytes JMP 0218F8A1 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 0218FAC8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 0218E83A .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!recv 71A5676F 5 Bytes JMP 0218F946 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 0218F9F4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WS2_32.dll!WSAAsyncGetHostByName 71A5E99D 5 Bytes JMP 0218ECB0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WININET.dll!InternetCrackUrlW 3FCF40C0 5 Bytes JMP 02190D86 .text C:\Program Files\Mozilla Firefox\firefox.exe[3240] WININET.dll!InternetCrackUrlA 3FD14938 5 Bytes JMP 02190C3D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F68 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF005D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F83 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0040 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0F9E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0089 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F4D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0EFA .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F0B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00AE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF002F .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0078 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FB9 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FCA .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF0F1C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00CE003D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00CE005F .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00CE0022 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00CE0011 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00CE0FAC .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00CE0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00CE004E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00CE0FC7 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CD0047 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CD0FBC .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CD0FDE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CD000C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CD0FCD .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CD0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3724] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CC0000 .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [90] .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F100F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F190F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] kernel32.dll!GetFileAttributesW 7C80B7EC 6 Bytes JMP 5F130F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] kernel32.dll!GetFileAttributesA 7C8115DC 6 Bytes JMP 5F160F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] USER32.dll!SetCursor 7E379930 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] USER32.dll!SetCursor + 4 7E379934 2 Bytes [1D, 5F] .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] USER32.dll!MessageBeep 7E381F7B 6 Bytes JMP 5F0A0F5A .text C:\Documents and Settings\nowy\Pulpit\suwak_pkz.exe[6696] USER32.dll!MessageBoxA 7E3A07EA 6 Bytes JMP 5F040F5A .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F66 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F8B .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260065 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260054 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FBC .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F44 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260080 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F0E .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F1F .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260EF3 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260043 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FDE .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F55 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FCD .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260014 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600A7 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 003B0000 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 003B0047 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 003B0FAF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 003B0FD4 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 003B0036 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 003B0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 003B0025 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 003B0F94 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 003C0F95 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!system 77C193C7 5 Bytes JMP 003C002A .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 003C0FC1 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!_open 77C1F566 5 Bytes JMP 003C0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 003C0FB0 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 003C0FD2 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] WS2_32.dll!socket 71A54211 5 Bytes JMP 01470FE5 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 016A0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 016A0014 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 016A002F .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[9184] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 016A004A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7275574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F72750C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7275FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72750C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7275362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72752A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72761BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7275FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F728A312] sptd.sys IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[HAL.dll!KeGetCurrentIrql] 830C4D8A IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[HAL.dll!KfAcquireSpinLock] 0001CCB8 IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[HAL.dll!KfReleaseSpinLock] 48880000 IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[HAL.dll!KfRaiseIrql] C0940F68 IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[HAL.dll!KfLowerIrql] 8B55C35D IAT \SystemRoot\System32\Drivers\albtdf7r.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 458D5653 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\mfevtps.exe[2972] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A6F31F8 AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) Device \FileSystem\Fastfat \FatCdrom 892DE1F8 AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\NetBT \Device\NetBT_Tcpip_{ABF6C760-478F-4A49-B80C-F2DFCD172271} 894E51F8 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\RTSTOR \Device\0000009f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbohci \Device\USBPDO-0 8A4B61F8 Device \Driver\usbohci \Device\USBPDO-1 8A4B61F8 Device \Driver\usbehci \Device\USBPDO-2 8A3211F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{A2C7841E-D57D-4811-A1B9-02CA097E8C88} 894E51F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B7996051-B631-4887-A671-4E259F86CA74} 894E51F8 AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\RTSTOR \Device\000000a1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Cdrom \Device\CdRom0 8A4161F8 Device \Driver\aksusb \Device\000000b0 AKSCLASS.SYS (Aladdin Class Driver/SafeNet Inc.) Device \Driver\atapi \Device\Ide\IdePort0 [F71C7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F71C7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 [F71C7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 [F71C7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F71C7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\NetBT \Device\NetBt_Wins_Export 894E51F8 Device \Driver\NetBT \Device\NetbiosSmb 894E51F8 AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\usbohci \Device\USBFDO-0 8A4B61F8 Device \Driver\usbohci \Device\USBFDO-1 8A4B61F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894DA1F8 Device \Driver\usbehci \Device\USBFDO-2 8A3211F8 Device \Driver\PCI_PNP0296 \Device\0000006e sptd.sys Device \FileSystem\MRxSmb \Device\LanmanRedirector 894DA1F8 Device \Driver\albtdf7r \Device\Scsi\albtdf7r1 8A48D430 Device \FileSystem\Fastfat \Fat 892DE1F8 AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) Device \FileSystem\Cdfs \Cdfs 892F41F8 ---- Threads - GMER 1.0.15 ---- Thread System [4:144] 8A5AC39F Thread System [4:148] 8A42B0F4 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC9 0x3F 0x4A 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC9 0x3F 0x4A 0x84 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... ---- EOF - GMER 1.0.15 ----