GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-13 03:34:23 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9160310AS rev.0303 Running: rv99mkge.exe; Driver: C:\DOCUME~1\nowy\USTAWI~1\Temp\fwldqpow.sys ---- System - GMER 1.0.15 ---- SSDT \WINDOWS\system32\ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70CC] ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) ZwOpenKey [0x804D70D1] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D1] ZwOpenKey [0x804D70D1] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6 INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75BA16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75B9FC2 Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF7189242] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7189090] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF71890A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7189114] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7189140] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF71891AE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7189198] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF71891C4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7189282] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF71891F0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7189054] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7189068] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF7189256] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF718922C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7189182] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF718916C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF718912A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7189218] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7189204] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF71890CE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF71890BA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7189156] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71892B1] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF71891DA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7189298] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF718926C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504B1C 7 Bytes JMP F7189270 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 805790A2 5 Bytes JMP F7189246 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2042 7 Bytes JMP F7189286 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E50 5 Bytes JMP F718929C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B8426 7 Bytes JMP F718925A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB456 5 Bytes JMP F7189058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB6E2 5 Bytes JMP F718906C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDEA0 5 Bytes JMP F71890BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP F71890A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D1250 5 Bytes JMP F7189094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D22D8 5 Bytes JMP F71892B5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D2C1A 5 Bytes JMP F71890D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806221FA 7 Bytes JMP F7189170 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80622548 7 Bytes JMP F718915A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622872 7 Bytes JMP F71891DE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80623124 7 Bytes JMP F7189186 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806239F8 7 Bytes JMP F718912E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80624472 7 Bytes JMP F7189118 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80624642 7 Bytes JMP F7189144 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80624822 7 Bytes JMP F71891B2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624A8C 7 Bytes JMP F718919C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 806256F6 7 Bytes JMP F7189230 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 806259B6 5 Bytes JMP F7189208 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwLoadKey2 80625E06 7 Bytes JMP F71891C8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 806260AA 5 Bytes JMP F718921C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806261C4 5 Bytes JMP F71891F4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF68CD000, 0x189F82, 0xE8000020] .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xA9961000, 0x49379, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xA99B7224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xA99B7000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA9778400, 0x6EB98, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9802C20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9802C20] .protect˙˙˙˙hardlockunknown last code section [0xA9802A00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9802A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 06210FEF .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 06210F35 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0621002A .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 06210F46 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 06210F61 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 06210F8D .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 06210062 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 06210045 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 062100A2 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 06210F09 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 06210EEE .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 06210F7C .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 06210FD4 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 06210F1A .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 06210FA8 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 06210FC3 .text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0621007D .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 06000025 .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 06000FA5 .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0600000A .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 06000FD4 .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 0600006C .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 06000FEF .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 06000051 .text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 06000036 .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 05FF0064 .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!system 77C193C7 5 Bytes JMP 05FF0049 .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 05FF001D .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_open 77C1F566 5 Bytes JMP 05FF0000 .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 05FF002E .text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 05FF0FEF .text C:\WINDOWS\System32\svchost.exe[140] WS2_32.dll!socket 71A54211 5 Bytes JMP 05FE000A .text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 05FD0000 .text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 05FD0011 .text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 05FD0FDB .text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 05FD002C .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FEF .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A005B .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F66 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0040 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A002F .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0F8D .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A009D .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F4B .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0F29 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0F3A .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00D3 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0014 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FD4 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A006C .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0F9E .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FB9 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A00B8 .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 0069002C .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00690F8D .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0069001B .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00690000 .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00690F9E .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00690FEF .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00690FAF .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [8A, 88] .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00690FC0 .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00680058 .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!system 77C193C7 5 Bytes JMP 00680FCD .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00680FDE .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00680FEF .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00680033 .text C:\WINDOWS\system32\svchost.exe[224] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00680018 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01B10FE5 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01B10F4B .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01B10040 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01B10F5C .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01B10025 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01B1000A .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01B10080 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01B10F2E .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01B10F02 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01B10F1D .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01B100C0 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01B10F83 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01B10FD4 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01B10065 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01B10F94 .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01B10FAF .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01B1009B .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 01B00FC3 .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 01B00065 .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 01B00014 .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 01B00FDE .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 01B00F9E .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 01B00FEF .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 01B0004A .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 01B0002F .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 01AF0049 .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!system 77C193C7 5 Bytes JMP 01AF0038 .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 01AF0FD2 .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01AF0FEF .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 01AF0027 .text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 01AF0000 .text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00D10FEF .text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00D10014 .text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00D10FDE .text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00D10FCD .text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!socket 71A54211 5 Bytes JMP 019B0FEF .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D1000A .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10093 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10078 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10067 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FA8 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FB9 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100D0 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100BF .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100EB .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F52 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100FC .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10040 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D100A4 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FD4 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10025 .text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F63 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00D0001B .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00D00F68 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00D0000A .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00D00FD4 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00D00F83 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00D00FE5 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00D00F94 .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [F1, 88] .text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00D00FAF .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CF0FAD .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CF0042 .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CF0016 .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CF0FEF .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CF0027 .text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CF0FDE .text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070089 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070078 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F9E .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB9 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070051 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F4B .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F5C .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F15 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F26 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700C9 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FCA .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070011 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F79 .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FDB .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007002C .text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700AE .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00060FAF .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00060F61 .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00060FCA .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00060000 .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00060F7C .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00060FE5 .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00060F8D .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [27, 88] .text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00060F9E .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00050053 .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!system 77C193C7 5 Bytes JMP 00050038 .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 0005000C .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00050FEF .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00050027 .text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00050FD2 .text C:\WINDOWS\system32\services.exe[1576] WS2_32.dll!socket 71A54211 5 Bytes JMP 00040000 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B4000A .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40093 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F9E .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40FAF .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40FC0 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40051 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400BF .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B400AE .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B400DA .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F4B .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B400F5 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40062 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FEF .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F83 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40040 .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B4002F .text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F5C .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00B3002C .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00B30F9B .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00B30011 .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00B30000 .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00B30FAC .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00B30FEF .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00B3004E .text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00B3003D .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wsystem 77C1931E 1 Byte [E9] .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00B20022 .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!system 77C193C7 5 Bytes JMP 00B20F97 .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00B20FC6 .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00B20FEF .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00B20011 .text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00B20000 .text C:\WINDOWS\system32\lsass.exe[1588] WS2_32.dll!socket 71A54211 5 Bytes JMP 00B10000 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC006C .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0051 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F77 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0040 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0025 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0089 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F41 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F0B .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F1C .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0EF0 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0F9E .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FCA .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F52 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0FAF .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0000 .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC00A4 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00FB0022 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00FB0F91 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00FB0FD1 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00FB0011 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00FB004E .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00FB0000 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00FB0033 .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00FB0FAC .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00FA0FA8 .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C193C7 5 Bytes JMP 00FA0FC3 .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00FA0FD4 .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00FA0FEF .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00FA0029 .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00FA0018 .text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71A54211 5 Bytes JMP 00F90000 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F8D .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F9E .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B5006C .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50FAF .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50FC0 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F61 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50F72 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F24 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50F35 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50F09 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B50051 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50011 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B5009D .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FD1 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B50022 .text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50F46 .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00B4001B .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00B4007D .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00B40FCA .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00B40FE5 .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00B4006C .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00B40000 .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00B40051 .text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00B40036 .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00B30031 .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!system 77C193C7 5 Bytes JMP 00B30F9C .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00B30FC1 .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00B30FEF .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00B30016 .text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00B30FDE .text C:\WINDOWS\system32\svchost.exe[1864] WS2_32.dll!socket 71A54211 5 Bytes JMP 00B20FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE00A2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0FB7 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0091 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0080 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0051 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE00DA .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE00BD .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0106 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE00F5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE0F5C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F92 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F77 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00ED0FDB .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00ED0073 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00ED002C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00ED001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00ED0FC0 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00ED000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00ED0062 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00ED0051 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EC0F82 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EC0F93 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EC0FB5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EC0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EC0FA4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EC0FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1936] WS2_32.dll!socket 71A54211 5 Bytes JMP 00EB0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F76 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0075 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F9B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0FAC .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF003D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F4A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0086 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F2F .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00BE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F1E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF004E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F5B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF002C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF001B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00AD .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00CE0036 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00CE0FC0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00CE0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00CE0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00CE007D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00CE0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00CE006C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00CE005B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CD0042 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CD0FB7 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CD0FD2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CD0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CD0027 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CD000C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CC000A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 5CD40FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 5CD40058 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 5CD40047 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!LoadLibraryExW 7C801AF5 4 Bytes JMP 5CD40F6D .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 5CD40F94 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 5CD40036 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 5CD40073 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 5CD40F2B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 5CD40098 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 5CD40EFF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 5CD400B3 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 5CD40FAF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 5CD4000A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 5CD40F48 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 5CD40FC0 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 5CD4001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 5CD40F10 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 5CD20038 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!system 77C193C7 5 Bytes JMP 5CD20FAD .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 5CD2001D .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!_open 77C1F566 5 Bytes JMP 5CD20FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 5CD20FC8 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 5CD2000C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 5CD30011 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 5CD30F6F .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 5CD30000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 5CD30FCA .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 5CD30F8A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 5CD30FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 5CD30F9B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [F4, E4] .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 5CD30022 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2464] WS2_32.dll!socket 71A54211 5 Bytes JMP 5CD10000 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F70 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F81 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F9E .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FAF .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0047 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00A7 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE008A .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F04 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F29 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0EE9 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FC0 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0025 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F5F .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FDB .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0036 .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F44 .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00FD001B .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00FD0F68 .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00FD000A .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00FD0FCA .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00FD0F83 .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00FD0FEF .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00FD0F94 .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [1E, 89] .text C:\WINDOWS\system32\svchost.exe[3144] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00FD0FA5 .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00FC0FA8 .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!system 77C193C7 5 Bytes JMP 00FC003D .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00FC0011 .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00FC0000 .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00FC0022 .text C:\WINDOWS\system32\svchost.exe[3144] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00FC0FD7 .text C:\WINDOWS\system32\svchost.exe[3144] WS2_32.dll!socket 71A54211 5 Bytes JMP 00FB0000 .text C:\Program Files\Mozilla Firefox\firefox.exe[3512] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01210C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3512] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01447B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3512] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01447B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3512] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01213FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3512] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01447AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\mfevtps.exe[2392] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) Device \Driver\RTSTOR \Device\0000009c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\RTSTOR \Device\0000009e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... ---- EOF - GMER 1.0.15 ----