GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-12 04:38:03 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9160310AS rev.0303 Running: rv99mkge.exe; Driver: C:\DOCUME~1\nowy\USTAWI~1\Temp\fwldqpow.sys ---- System - GMER 1.0.15 ---- SSDT \WINDOWS\system32\ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70CC] ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) ZwOpenKey [0x804D70D1] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D1] ZwOpenKey [0x804D70D1] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6 INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE38516D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE384FC2 Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF7189242] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7189090] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF71890A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7189114] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7189140] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF71891AE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7189198] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF71891C4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7189282] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF71891F0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7189054] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7189068] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF7189256] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF718922C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7189182] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF718916C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF718912A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7189218] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7189204] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF71890CE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF71890BA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7189156] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71892B1] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF71891DA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7189298] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF718926C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504B1C 7 Bytes JMP F7189270 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 805790A2 5 Bytes JMP F7189246 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2042 7 Bytes JMP F7189286 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E50 5 Bytes JMP F718929C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B8426 7 Bytes JMP F718925A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB456 5 Bytes JMP F7189058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB6E2 5 Bytes JMP F718906C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDEA0 5 Bytes JMP F71890BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP F71890A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D1250 5 Bytes JMP F7189094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D22D8 5 Bytes JMP F71892B5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D2C1A 5 Bytes JMP F71890D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806221FA 7 Bytes JMP F7189170 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80622548 7 Bytes JMP F718915A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622872 7 Bytes JMP F71891DE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80623124 7 Bytes JMP F7189186 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806239F8 7 Bytes JMP F718912E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80624472 7 Bytes JMP F7189118 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80624642 7 Bytes JMP F7189144 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80624822 7 Bytes JMP F71891B2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624A8C 7 Bytes JMP F718919C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 806256F6 7 Bytes JMP F7189230 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 806259B6 5 Bytes JMP F7189208 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwLoadKey2 80625E06 7 Bytes JMP F71891C8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 806260AA 5 Bytes JMP F718921C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806261C4 5 Bytes JMP F71891F4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text C:\WINDOWS\system32\drivers\ACPI.sys section is writeable [0xF7357300, 0x1AF00, 0xE8000020] .rsrc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF7380F00, 0x1BF8, 0xE8000040] .reloc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF7382B00, 0x2506, 0xE8000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6993000, 0x189F82, 0xE8000020] .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xAA6AE000, 0x49379, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xAA704224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xAA704000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAA49D400, 0x6EB98, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA527C20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA527C20] .protect˙˙˙˙hardlockunknown last code section [0xAA527A00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAA527A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022F0000 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022F0F6D .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022F0F92 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022F006C .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022F0FAF .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022F0047 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022F0098 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022F0F50 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022F00A9 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022F0F1A .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022F0EF5 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022F0FC0 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022F0011 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022F0087 .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022F002C .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022F0FDB .text C:\WINDOWS\System32\svchost.exe[212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022F0F2B .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 02000FCA .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 02000F79 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 02000FE5 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 02000011 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 02000F8A .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 02000000 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 02000FA5 .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [21, 8A] .text C:\WINDOWS\System32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 0200002C .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 01A8003D .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!system 77C193C7 5 Bytes JMP 01A80FB2 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 01A80022 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01A80000 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 01A80FD7 .text C:\WINDOWS\System32\svchost.exe[212] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 01A80011 .text C:\WINDOWS\System32\svchost.exe[212] WS2_32.dll!socket 71A54211 5 Bytes JMP 00BB0FE5 .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00BA000A .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00BA001B .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00BA0036 .text C:\WINDOWS\System32\svchost.exe[212] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00BA0FE5 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FEF .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A004A .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F55 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0F66 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F83 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A001E .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A006C .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A005B .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A009B .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0EF8 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00AC .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A002F .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FDE .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F30 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0FA8 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FC3 .text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F09 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00690FD4 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 0069005B .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00690025 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00690FEF .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00690F9E .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00690000 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00690FC3 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [8A, 88] .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00690040 .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00680014 .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!system 77C193C7 5 Bytes JMP 00680F89 .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00680FAB .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00680FE3 .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00680F9A .text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00680FC6 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00890000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00890F5E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00890F83 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0089005D .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00890F94 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0089002C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00890F26 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0089006E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00890EF3 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00890F04 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00890ED8 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00890FA5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00890FE5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9] .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00890F43 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00890FC0 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0089001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00890F15 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00870F89 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!system 77C193C7 5 Bytes JMP 00870F9A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00870FC6 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00870000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00870FB5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00870FE3 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00880036 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00880F9E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00880FE5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0088001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 0088005B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00880000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00880FB9 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [A9, 88] .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00880FD4 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[556] WS2_32.dll!socket 71A54211 5 Bytes JMP 00860000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F70 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F81 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F9C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0FB9 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF005B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0093 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0082 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9] .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F3A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00D3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00EE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F4B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF004A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00AE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00CE0FC0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00CE0036 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00CE0011 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00CE0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00CE0F79 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00CE0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00CE0F94 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [EF, 88] .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00CE0FAF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CD0FB9 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CD004E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CD0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CD0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CD0033 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CD000C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[596] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CC000A .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FE5 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00078 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00067 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F8D .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FA8 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C0002F .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000B7 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C0009A .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C000D2 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F39 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000E3 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00040 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FD4 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00089 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FC3 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C0000A .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F54 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00BF003D .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00BF0FAC .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00BF002C .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00BF0011 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00BF0069 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00BF0000 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00BF0FD1 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a} .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00BF0058 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00BE0F89 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C193C7 5 Bytes JMP 00BE0014 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00BE0FB5 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00BE0FEF .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00BE0FA4 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00BE0FC6 .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71A54211 5 Bytes JMP 00BD0000 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009B0FEF .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009B0F3D .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009B0F4E .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B0F6B .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009B0F86 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009B0F97 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009B0068 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009B0F2C .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009B008D .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009B0EF4 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009B0EE3 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009B0028 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009B0FDE .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009B004D .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009B0FB2 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009B0FC3 .text C:\WINDOWS\system32\services.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009B0F05 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 009A0000 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 009A0F94 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 009A0FB9 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 009A0FD4 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 009A005B .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 009A0FEF .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 009A0036 .text C:\WINDOWS\system32\services.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 009A001B .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 0099002C .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!system 77C193C7 5 Bytes JMP 00990FAB .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00990FC6 .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00990000 .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0099001B .text C:\WINDOWS\system32\services.exe[1596] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00990FE3 .text C:\WINDOWS\system32\services.exe[1596] WS2_32.dll!socket 71A54211 5 Bytes JMP 00980FEF .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FC0 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000700B5 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070098 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070087 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070051 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700E1 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700D0 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FC .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F63 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070121 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0007006C .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070FA5 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070036 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FE5 .text C:\WINDOWS\system32\lsass.exe[1632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F7E .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00060FDB .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00060FB6 .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0006002C .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0006001B .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 0006007D .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 0006000A .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00060062 .text C:\WINDOWS\system32\lsass.exe[1632] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00060051 .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00050FA8 .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!system 77C193C7 5 Bytes JMP 00050FB9 .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00050033 .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00050FEF .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00050FDE .text C:\WINDOWS\system32\lsass.exe[1632] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 0005000C .text C:\WINDOWS\system32\lsass.exe[1632] WS2_32.dll!socket 71A54211 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC008E .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F8F .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0FA0 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0069 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0047 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00BA .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC00A9 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00E6 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F4D .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0101 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0058 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FE5 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F7E .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036 .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC001B .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00CB .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00BB0025 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00BB0F83 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00BB0FD4 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00BB0FEF .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00BB0FA8 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00BB0000 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00BB0FB9 .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [DC, 88] .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00BB0036 .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00BA003D .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C193C7 5 Bytes JMP 00BA0FB2 .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00BA0FDE .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00BA0FEF .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00BA0FCD .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00BA000C .text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71A54211 5 Bytes JMP 00B90000 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D4000A .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D4009D .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40082 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40071 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D4004A .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FB9 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F83 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400D5 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40F5E .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40101 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40112 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FA8 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40FEF .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D400AE .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FD4 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40025 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D400F0 .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00D30FAF .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00D30039 .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00D30FCA .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00D3000A .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00D30F72 .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00D30FE5 .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00D30F83 .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [F4, 88] .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00D30F94 .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00D20FB7 .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!system 77C193C7 5 Bytes JMP 00D20FD2 .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00D2002E .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00D20000 .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00D20FE3 .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00D20011 .text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!socket 71A54211 5 Bytes JMP 00D10FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F55 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F66 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0F77 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0F9E .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED0091 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0076 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00CE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED00B3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED0F10 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0065 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED00A2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00EC002F .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00EC0076 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00EC0014 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00EC0FDE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00EC0FAF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00EC0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00EC005B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00EC0040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EB0031 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EB0FA6 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EB0FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EB0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EB0FB7 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EB0FE3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1980] WS2_32.dll!socket 71A54211 5 Bytes JMP 00EA0000 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F66 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F77 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90051 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90F94 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FB9 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90087 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F3F .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90F1D .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F2E .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90F0C .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90040 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90FEF .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90076 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90025 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FD4 .text C:\WINDOWS\system32\svchost.exe[2728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F900A2 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F80FC0 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F80051 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F80FE5 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F80011 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F80F94 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F80000 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F80036 .text C:\WINDOWS\system32\svchost.exe[2728] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F80FAF .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F70F95 .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F70016 .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F70FC1 .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F70FEF .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F70FB0 .text C:\WINDOWS\system32\svchost.exe[2728] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F70FD2 .text C:\WINDOWS\system32\svchost.exe[2728] WS2_32.dll!socket 71A54211 5 Bytes JMP 00F60FE5 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0000 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F5F .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F70 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F81 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA004A .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0039 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0F29 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F3A .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA008C .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0EF3 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0ED8 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FA8 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0FEF .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0065 .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FCD .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FDE .text C:\WINDOWS\Explorer.EXE[3428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F0E .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00D9001B .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00D90069 .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00D90FD4 .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00D9000A .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00D90058 .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00D90FEF .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00D9003D .text C:\WINDOWS\Explorer.EXE[3428] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00D9002C .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00D80FA1 .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!system 77C193C7 5 Bytes JMP 00D8002C .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00D80011 .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00D80000 .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00D80FBC .text C:\WINDOWS\Explorer.EXE[3428] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00D80FD7 .text C:\WINDOWS\Explorer.EXE[3428] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00D70000 .text C:\WINDOWS\Explorer.EXE[3428] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00D70FE5 .text C:\WINDOWS\Explorer.EXE[3428] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00D70FCA .text C:\WINDOWS\Explorer.EXE[3428] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00D70FB9 .text C:\WINDOWS\Explorer.EXE[3428] WS2_32.dll!socket 71A54211 5 Bytes JMP 01ED0FEF .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01210C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01447B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01447B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01213FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 0218ED8F .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 0219031F .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 0219015D .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 0218FDD3 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 02190082 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 02190238 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 0218FFB6 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 021904EA .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01447AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 0218FEEA .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 02190406 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 021908AA .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 02190977 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 0218E8FB .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 0218FD2C .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!send 71A54C27 5 Bytes JMP 0218F8A1 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 0218FAC8 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 0218E83A .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!recv 71A5676F 5 Bytes JMP 0218F946 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 0218F9F4 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WS2_32.dll!WSAAsyncGetHostByName 71A5E99D 5 Bytes JMP 0218ECB0 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WININET.dll!InternetCrackUrlW 3FCF40C0 5 Bytes JMP 02190D86 .text C:\Program Files\Mozilla Firefox\firefox.exe[4700] WININET.dll!InternetCrackUrlA 3FD14938 5 Bytes JMP 02190C3D ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\mfevtps.exe[1120] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) Device \Driver\RTSTOR \Device\0000009c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\RTSTOR \Device\0000009e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\aksusb \Device\0000009f AKSCLASS.SYS (Aladdin Class Driver/SafeNet Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- Threads - GMER 1.0.15 ---- Thread System [4:132] 8A58939F Thread System [4:136] 8A5430F4 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... ---- EOF - GMER 1.0.15 ----