GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-08 20:22:07 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LV01 Running: 39vjfdbv.exe; Driver: C:\Users\Ewelina\AppData\Local\Temp\agliyfod.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D6659BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D665958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D66596C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D6659FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8D665A3F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D665930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D665944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D6659D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8D665A67] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8D665A53] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D6659AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D665996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D665A2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D665A12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D6659E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D665982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 8246F1A0 5 Bytes JMP 8D6659EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 826091CD 5 Bytes JMP 8D665A43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 82610E26 5 Bytes JMP 8D665986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 8262B2F0 5 Bytes JMP 8D665A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 8264A57A 5 Bytes JMP 8D665948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 82659EF2 5 Bytes JMP 8D665934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 8266CAFE 7 Bytes JMP 8D665A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8266D155 5 Bytes JMP 8D665A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 8266F366 5 Bytes JMP 8D6659C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 8267CA24 5 Bytes JMP 8D66599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8267EC7E 7 Bytes JMP 8D6659D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 8269D982 5 Bytes JMP 8D665A57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 8269E9CE 5 Bytes JMP 8D665A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 826DC72B 5 Bytes JMP 8D66595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 826DC776 7 Bytes JMP 8D665970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 826DD233 5 Bytes JMP 8D6659AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8815A000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x881A3000, 0x510, 0x40000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 00C70F29 .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00C7006F .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00C70F04 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 00C7009B .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00C7004A .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00C70FAF .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00C70F66 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00C70F9E .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00C70F55 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00C70F83 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00C70025 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 00C70F44 .text C:\Windows\system32\services.exe[684] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 00C700B6 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00C70FDB .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00C70000 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00C70FCA .text C:\Windows\system32\services.exe[684] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 00C7008A .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00880F9B .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 0088003D .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00880000 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00880FAC .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00880F80 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00880FDB .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00880011 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 0088002C .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00890F86 .text C:\Windows\system32\services.exe[684] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00890011 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00890FAB .text C:\Windows\system32\services.exe[684] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00890FE3 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00890000 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 00890FC6 .text C:\Windows\system32\services.exe[684] WS2_32.dll!socket 764136D1 5 Bytes JMP 0070000A .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 00DB0F55 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00DB009B .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00DB0F29 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessA 76D51C36 1 Byte [E9] .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 00DB0F3A .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00DB0080 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00DB0FB9 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00DB0FA8 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00DB0040 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00DB0F8B .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00DB0065 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00DB0025 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 00DB0F7A .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 00DB0F0E .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00DB000A .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00DB0FEF .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00DB0FD4 .text C:\Windows\system32\lsass.exe[696] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 00DB00B6 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00090F83 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 0009000A .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00090FEF .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00090025 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00090F68 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00090FB9 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00090FD4 .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00090F9E .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 000A0F9A .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!system 76CF8B63 5 Bytes JMP 000A0FAB .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 000A0000 .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 000A0FEF .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 000A001B .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 000A0FD2 .text C:\Windows\system32\lsass.exe[696] WS2_32.dll!socket 764136D1 5 Bytes JMP 00080FEF .text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 006C0F3F .text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 006C0085 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 006C0F13 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 006C0F2E .text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 006C004F .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 006C0FA8 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 006C0032 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 006C0F86 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 006C0F5A .text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 006C0F75 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 006C0F97 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 006C0074 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 006C00C5 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 006C0FDE .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 006C0FEF .text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 006C0FB9 .text C:\Windows\system32\svchost.exe[888] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 006C00AA .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 006B0F7F .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!system 76CF8B63 5 Bytes JMP 006B000A .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 006B0FAB .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 006B0FE3 .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 006B0F9A .text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 006B0FD2 .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 006A0F7C .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 006A0F9E .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 006A0000 .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 006A0F8D .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 006A0F57 .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 006A0FCA .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 006A0FE5 .text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 006A0FB9 .text C:\Windows\system32\svchost.exe[888] WS2_32.dll!socket 764136D1 5 Bytes JMP 00690000 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 00710F57 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 007100A7 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00710F10 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 00710F21 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00710F8D .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00710025 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00710F9E .text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00710FAF .text C:\Windows\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00710F7C .text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00710051 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00710036 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 00710096 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 007100C2 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00710FE5 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00710000 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00710FCA .text C:\Windows\system32\svchost.exe[980] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 00710F3C .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 0070006E .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00700053 .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 0070002E .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 0070000C .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00700FE3 .text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 0070001D .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 006F0F8A .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 006F0FA5 .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 006F0000 .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 006F002C .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 006F0047 .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 006F001B .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 006F0FE5 .text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 006F0FC0 .text C:\Windows\system32\svchost.exe[980] WS2_32.dll!socket 764136D1 5 Bytes JMP 006E0000 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 006700DF .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00670FA3 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00670130 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 0067011F .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 0067009F .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00670FDB .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 0067008E .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00670062 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00670FB4 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00670073 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00670047 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 006700C4 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 00670155 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00670011 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00670000 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 0067002C .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 006700FA .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00620078 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00620053 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 0062001D .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00620FEF .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00620038 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 0062000C .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 005D0F97 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 005D0FB2 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 005D000A .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 005D0043 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 005D0054 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 005D0FDE .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 005D0FEF .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 005D0FCD .text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 764136D1 5 Bytes JMP 004F0000 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 01A60079 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 01A6005E .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 01A60EEC .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 01A60EFD .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 01A60039 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 01A60014 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 01A60F5F .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 01A60F8D .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 01A60F44 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 01A60F7C .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 01A60F9E .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 01A60F33 .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 01A60EDB .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 01A60FDE .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 01A60FEF .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 01A60FCD .text C:\Windows\System32\svchost.exe[1160] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 01A60F0E .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 01A50036 .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!system 76CF8B63 5 Bytes JMP 01A50FAB .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 01A50FC6 .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 01A50000 .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 01A5001B .text C:\Windows\System32\svchost.exe[1160] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 01A50FD7 .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 01A3006C .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 01A30051 .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 01A30FEF .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 01A30FCA .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 01A30FAF .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 01A3001B .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 01A3000A .text C:\Windows\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 01A3002C .text C:\Windows\System32\svchost.exe[1160] WS2_32.dll!socket 764136D1 5 Bytes JMP 01A2000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 01030087 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 01030076 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 01030F15 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 01030F26 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 01030040 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 01030FAF .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 01030F66 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 01030F94 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 01030F4B .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 01030F83 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 0103001B .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 0103005B .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 010300D1 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 01030FD4 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 01030FE5 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 0103000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 01030098 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 01020051 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!system 76CF8B63 5 Bytes JMP 01020040 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 01020011 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 01020000 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 01020FC6 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 01020FE3 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 01010051 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 01010040 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 01010FEF .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 01010FAF .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 01010F8A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 0101001B .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 0101000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 01010FD4 .text C:\Windows\system32\svchost.exe[1184] WS2_32.dll!socket 764136D1 5 Bytes JMP 01000000 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 006E0F53 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 006E0F64 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 006E00BB .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 006E0F2E .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 006E007E .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 006E0FCD .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 006E0F9A .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 006E0FAB .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 006E0F7F .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 76D79649 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 006E004D .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 006E0FBC .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 006E0099 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 006E00E0 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 006E0FEF .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 006E0000 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 006E0FDE .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 006E00AA .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 006D0044 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!system 76CF8B63 5 Bytes JMP 006D0FC3 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 006D0FD4 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 006D0FEF .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 006D0029 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 006D0018 .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 006B0F9E .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 006B0FCA .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 006B000A .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 006B0FB9 .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 006B0F8D .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 006B0036 .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 006B001B .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 006B0FE5 .text C:\Windows\system32\svchost.exe[1372] WS2_32.dll!socket 764136D1 5 Bytes JMP 00690FEF .text C:\Windows\system32\svchost.exe[1372] WinInet.dll!InternetOpenA 765F0A4D 5 Bytes JMP 006A0FEF .text C:\Windows\system32\svchost.exe[1372] WinInet.dll!InternetOpenUrlA 765F2713 5 Bytes JMP 006A0FCD .text C:\Windows\system32\svchost.exe[1372] WinInet.dll!InternetOpenW 765F30C8 5 Bytes JMP 006A0FDE .text C:\Windows\system32\svchost.exe[1372] WinInet.dll!InternetOpenUrlW 76648515 5 Bytes JMP 006A0FB2 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 00530F71 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 005300C1 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00530F4F .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 005300DC .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 0053008E .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00530FC0 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 0053007D .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00530051 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 0053009F .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00530062 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 0053002C .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 005300B0 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 00530F3E .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00530011 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00530000 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00530FD1 .text C:\Windows\system32\svchost.exe[1516] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 00530F60 .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00520055 .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00520FCA .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00520FEF .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 0052000C .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00520044 .text C:\Windows\system32\svchost.exe[1516] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 0052001D .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 002B0FA8 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 002B0040 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 002B0000 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 002B0FB9 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 002B0F83 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 002B0025 .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 002B0FEF .text C:\Windows\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 002B0FD4 .text C:\Windows\system32\svchost.exe[1516] WS2_32.dll!socket 764136D1 5 Bytes JMP 002A000A .text C:\Windows\Explorer.EXE[1804] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 02560089 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 02560078 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 025600B5 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 025600A4 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 02560F72 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 02560FAF .text C:\Windows\Explorer.EXE[1804] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 02560F83 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 02560F94 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 0256005D .text C:\Windows\Explorer.EXE[1804] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 02560036 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 0256001B .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 02560F4D .text C:\Windows\Explorer.EXE[1804] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 025600D0 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 02560FCA .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 02560FE5 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 02560000 .text C:\Windows\Explorer.EXE[1804] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 02560F28 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 02500022 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 02500F9B .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 02500000 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 02500F80 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 02500F65 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 02500011 .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 02500FDB .text C:\Windows\Explorer.EXE[1804] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 02500FB6 .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 02510F90 .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!system 76CF8B63 5 Bytes JMP 02510FAB .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 02510FD7 .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 02510000 .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 02510FBC .text C:\Windows\Explorer.EXE[1804] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 02510011 .text C:\Windows\Explorer.EXE[1804] WS2_32.dll!socket 764136D1 5 Bytes JMP 024E0000 .text C:\Windows\Explorer.EXE[1804] WININET.dll!InternetOpenA 765F0A4D 5 Bytes JMP 024F000A .text C:\Windows\Explorer.EXE[1804] WININET.dll!InternetOpenUrlA 765F2713 5 Bytes JMP 024F0FE5 .text C:\Windows\Explorer.EXE[1804] WININET.dll!InternetOpenW 765F30C8 5 Bytes JMP 024F001B .text C:\Windows\Explorer.EXE[1804] WININET.dll!InternetOpenUrlW 76648515 5 Bytes JMP 024F0040 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 008A00B8 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 008A0F7C .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 008A0F57 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 008A00E4 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 008A0FA8 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 008A0040 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 008A0FB9 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 008A0FCA .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 008A0F97 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 008A0076 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 008A0051 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 008A00A7 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 008A0F32 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 008A0011 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 008A0000 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 008A0FE5 .text C:\Windows\system32\svchost.exe[1892] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 008A00C9 .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 0085003A .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00850FB9 .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00850FEF .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00850000 .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00850FD4 .text C:\Windows\system32\svchost.exe[1892] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 0085001D .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00840F86 .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00840FA8 .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00840FEF .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00840F97 .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00840039 .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00840FD4 .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 0084000A .text C:\Windows\system32\svchost.exe[1892] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00840FC3 .text C:\Windows\system32\svchost.exe[1892] WS2_32.dll!socket 764136D1 5 Bytes JMP 00230000 .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2320] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2320] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 006B009D .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 006B0082 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 006B00C9 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 006B00B8 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 006B0F7C .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 006B0FB9 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 006B0F8D .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 006B002F .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 006B0F6B .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 006B004A .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 006B0FA8 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 006B0071 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 006B0F17 .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 006B0FCA .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 006B0FEF .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 006B000A .text C:\Windows\System32\svchost.exe[2720] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 006B0F3C .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 006A0FC5 .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!system 76CF8B63 5 Bytes JMP 006A005A .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 006A002E .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 006A000C .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 006A003F .text C:\Windows\System32\svchost.exe[2720] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 006A001D .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00200FB9 .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00200036 .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00200FEF .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00200051 .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00200076 .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 0020001B .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00200000 .text C:\Windows\System32\svchost.exe[2720] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00200FCA .text C:\Windows\System32\svchost.exe[2720] WS2_32.dll!socket 764136D1 5 Bytes JMP 00130FEF .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 0015009A .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00150089 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 001500C6 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 00150F2F .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00150F72 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 0015002C .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00150F83 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00150FA5 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00150067 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00150F94 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00150FB6 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreatePipe 76D80474 1 Byte [E9] .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 00150078 .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 001500EB .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 0015000A .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00150FEF .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 0015001B .text C:\Windows\System32\svchost.exe[2928] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 001500AB .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 0014004E .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00140033 .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00140FCD .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00140000 .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00140022 .text C:\Windows\System32\svchost.exe[2928] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 00140011 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00130040 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00130FA8 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00130FEF .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00130025 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00130051 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 0013000A .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00130FD4 .text C:\Windows\System32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00130FB9 .text C:\Windows\System32\svchost.exe[2928] WS2_32.dll!socket 764136D1 5 Bytes JMP 00120FEF .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 005E00AF .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 005E0F5F .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 005E00F6 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 005E00DB .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 005E0F92 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 005E0FDB .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 005E006C .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 005E0FC0 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 005E0F81 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 005E0FAF .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 005E0047 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 005E0F70 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 005E0107 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 005E001B .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 005E000A .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 005E002C .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 005E00CA .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 005D0036 .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!system 76CF8B63 5 Bytes JMP 005D0FA1 .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 005D0000 .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 005D0FE3 .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 005D0011 .text C:\Windows\system32\svchost.exe[2944] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 005D0FC6 .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 001A0F94 .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 001A0FA5 .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 001A0FEF .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 001A002C .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 001A0F83 .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 001A0FCA .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 001A0000 .text C:\Windows\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 001A001B .text C:\Windows\system32\svchost.exe[2944] WS2_32.dll!socket 764136D1 5 Bytes JMP 00170000 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 009700D3 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00970F8D .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00970F72 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 009700FF .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00970082 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00970025 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00970FA8 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00970FB9 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00970093 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00970065 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00970036 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 009700AE .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 00970124 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00970FD4 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00970FEF .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00970014 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 009700E4 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00790FA8 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00790FC3 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00790029 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00790000 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00790FD4 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 00790FEF .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00780F94 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00780025 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00780FEF .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00780036 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00780F83 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00780014 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00780FDE .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00780FB9 .text C:\Windows\system32\svchost.exe[3068] WS2_32.dll!socket 764136D1 5 Bytes JMP 00770FEF .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 000B0090 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 000B0075 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 000B0F0A .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 000B00A1 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 000B0049 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 000B0FAF .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 000B0F6F .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 000B0F94 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 000B0064 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 000B002C .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 000B001B .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 000B0F4A .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 000B00BC .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 000B0FD4 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 000B0FE5 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 000B0000 .text C:\Windows\System32\svchost.exe[3684] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 000B0F25 .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 000A0025 .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!system 76CF8B63 5 Bytes JMP 000A0F9A .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 000A0FC6 .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 000A0FEF .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 000A0FB5 .text C:\Windows\System32\svchost.exe[3684] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 000A0000 .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00090054 .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00090039 .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00090FEF .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00090FB2 .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 0009006F .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00090FCD .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00090FDE .text C:\Windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 0009001E .text C:\Windows\System32\svchost.exe[3684] WS2_32.dll!socket 764136D1 5 Bytes JMP 00100000 .text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3740] ntdll.dll!DbgBreakPoint 76E77B0E 1 Byte [90] .text C:\ProgramData\lsass.exe[3976] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 0006009D .text C:\ProgramData\lsass.exe[3976] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 0006008C .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00060F1E .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 000600BF .text C:\ProgramData\lsass.exe[3976] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00060F86 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00060FEF .text C:\ProgramData\lsass.exe[3976] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00060F97 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00060FC3 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00060F6B .text C:\ProgramData\lsass.exe[3976] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00060FA8 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00060FDE .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 0006007B .text C:\ProgramData\lsass.exe[3976] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 000600D0 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 0006001B .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00060000 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00060036 .text C:\ProgramData\lsass.exe[3976] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 000600AE .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 0002004E .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 0002003D .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00020000 .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00020FB6 .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00020F91 .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00020FE5 .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 0002001B .text C:\ProgramData\lsass.exe[3976] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 0002002C .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00050027 .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00050FA6 .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 00050FD2 .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 00050000 .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00050FB7 .text C:\ProgramData\lsass.exe[3976] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 00050FEF .text C:\ProgramData\lsass.exe[3976] WS2_32.dll!socket 764136D1 5 Bytes JMP 00620FE5 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!GetStartupInfoW 76D51929 5 Bytes JMP 0001008E .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!GetStartupInfoA 76D519C9 5 Bytes JMP 00010F48 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateProcessW 76D51C01 5 Bytes JMP 00010F1C .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateProcessA 76D51C36 5 Bytes JMP 000100B3 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!VirtualProtect 76D51DD1 5 Bytes JMP 00010F7E .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateNamedPipeW 76D55C44 5 Bytes JMP 00010036 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!LoadLibraryExW 76D7374A 5 Bytes JMP 00010F99 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!LoadLibraryW 76D7382D 5 Bytes JMP 00010058 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!VirtualProtectEx 76D78F5E 5 Bytes JMP 00010073 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!LoadLibraryExA 76D79649 5 Bytes JMP 00010FB6 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!LoadLibraryA 76D79671 5 Bytes JMP 00010047 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreatePipe 76D80474 5 Bytes JMP 00010F63 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!GetProcAddress 76D9BAC6 5 Bytes JMP 000100C4 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateFileW 76D9CE4E 5 Bytes JMP 00010FEF .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateFileA 76D9D171 5 Bytes JMP 00010000 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!CreateNamedPipeA 76DE462E 5 Bytes JMP 00010025 .text C:\Windows\system32\wuauclt.exe[5836] kernel32.dll!WinExec 76DE580B 5 Bytes JMP 00010F2D .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!_wsystem 76CF8A47 5 Bytes JMP 00060FB7 .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!system 76CF8B63 5 Bytes JMP 00060FC8 .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!_creat 76CFC6F1 5 Bytes JMP 0006002E .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!_open 76CFDA7E 5 Bytes JMP 0006000C .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!_wcreat 76CFDC9E 5 Bytes JMP 00060FD9 .text C:\Windows\system32\wuauclt.exe[5836] msvcrt.dll!_wopen 76CFDE79 5 Bytes JMP 0006001D .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegCreateKeyExA 76BEB5E7 5 Bytes JMP 00070F91 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegCreateKeyA 76BEB8AE 5 Bytes JMP 00070033 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegOpenKeyA 76BF0BF5 5 Bytes JMP 00070000 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegCreateKeyW 76BFB83D 5 Bytes JMP 00070FA2 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegCreateKeyExW 76BFBCE1 5 Bytes JMP 00070F80 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegOpenKeyExA 76BFD4E8 5 Bytes JMP 00070011 .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegOpenKeyW 76C03CB0 5 Bytes JMP 00070FDB .text C:\Windows\system32\wuauclt.exe[5836] ADVAPI32.dll!RegOpenKeyExW 76C0F09D 5 Bytes JMP 00070022 .text C:\Windows\system32\wuauclt.exe[5836] WS2_32.dll!socket 764136D1 5 Bytes JMP 00090000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xB4 0x6A 0xBD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xB4 0x6A 0xBD ... ---- EOF - GMER 1.0.15 ----