GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-06 23:00:37 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IBM-DJSA-210 rev.JS2OAB8A 9,37GB Running: gmer.exe; Driver: C:\DOCUME~1\slaw\USTAWI~1\Temp\pgrdqpow.sys ---- System - GMER 2.1 ---- Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF982E7B8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF982E676] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF982E610] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF982E624] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF982E68A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF982E6B6] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF982E724] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF982E70E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF982E73A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF982E7F8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF982E766] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF982E662] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF982E5D4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF982E5E8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF982E7CC] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF982E7A2] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF982E6F8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF982E6E2] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF982E6A0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF982E78E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF982E77A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF982E64E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF982E63A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF982E6CC] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF982E827] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF982E750] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF982E80E] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF982E7E2] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution 804FC679 7 Bytes JMP F982E7E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwOpenKey 805684D5 5 Bytes JMP F982E666 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwQueryValueKey 8056B9A8 7 Bytes JMP F982E6E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtSetInformationProcess 8056C608 5 Bytes JMP F982E63E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateKey 8056F063 5 Bytes JMP F982E67A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwQueryKey 8056F473 7 Bytes JMP F982E7A6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwEnumerateKey 8056F76A 7 Bytes JMP F982E728 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtCreateFile 8057164C 5 Bytes JMP F982E7BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80573789 5 Bytes JMP F982E812 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtMapViewOfSection 80573C04 7 Bytes JMP F982E7FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess 8057459E 5 Bytes JMP F982E5D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057494D 7 Bytes JMP F982E7D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetValueKey 80575527 7 Bytes JMP F982E6D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwEnumerateValueKey 805801FE 7 Bytes JMP F982E712 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwNotifyChangeKey 805829DD 5 Bytes JMP F982E76A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 7 Bytes JMP F982E628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess 8058AE1E 5 Bytes JMP F982E82B mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwDeleteValueKey 80597430 7 Bytes JMP F982E6BA mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenThread 80597C0A 5 Bytes JMP F982E5EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwDeleteKey 8059D6BD 7 Bytes JMP F982E68E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwLoadKey2 805B0D76 7 Bytes JMP F982E73E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcess 805B3543 5 Bytes JMP F982E614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetContextThread 8062C85B 5 Bytes JMP F982E652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwRestoreKey 8064C3B0 5 Bytes JMP F982E77E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwUnloadKey 8064C689 7 Bytes JMP F982E754 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CF58 7 Bytes JMP F982E6FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwRenameKey 8064D39F 7 Bytes JMP F982E6A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwReplaceKey 8064D892 5 Bytes JMP F982E792 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D40FEF .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D400AB .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D4009A .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D40FB6 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D40073 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D40047 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D40F85 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D400CD .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D40F63 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D400FC .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00D4010D .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00D40062 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00D4000A .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00D400BC .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00D40036 .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00D4001B .text C:\WINDOWS\system32\services.exe[528] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00D40F74 .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00A5005F .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!system 77C193C7 5 Bytes JMP 00A5004E .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00A5002C .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00A50000 .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00A5003D .text C:\WINDOWS\system32\services.exe[528] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00A50011 .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00A60000 .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00A60F8D .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00A60FAF .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00A60FCA .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00A60F9E .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00A60040 .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00A60FEF .text C:\WINDOWS\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00A6001B .text C:\WINDOWS\system32\services.exe[528] WS2_32.dll!socket 71A53B91 5 Bytes JMP 00A3000A .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CC0000 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CC0F8D .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CC0082 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CC0067 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CC004A .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CC0FAF .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CC0F57 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CC0F68 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CC0F17 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CC00BA .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00CC0F06 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00CC0F9E .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00CC001B .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00CC0093 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00CC0FC0 .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00CC0FDB .text C:\WINDOWS\system32\lsass.exe[540] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00CC0F46 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00CB0FB9 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00CB0F79 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00CB0FDE .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00CB0FEF .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00CB0036 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00CB0F94 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00CB0000 .text C:\WINDOWS\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00CB0025 .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CA0FB6 .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CA0FDB .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CA003A .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_open 77C1F566 3 Bytes JMP 00CA000C .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_open + 4 77C1F56A 1 Byte [89] .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CA004B .text C:\WINDOWS\system32\lsass.exe[540] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CA001D .text C:\WINDOWS\system32\lsass.exe[540] WS2_32.dll!socket 71A53B91 5 Bytes JMP 00BD0000 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00810FEF .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00810F83 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00810F94 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00810FA5 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00810FB6 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0081003D .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008100B5 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008100A4 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008100D7 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008100C6 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00810F2D .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00810058 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00810000 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00810093 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00810022 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00810011 .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00810F52 .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00800FCD .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00800F9A .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00800FDE .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00800FEF .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00800FAB .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00800FBC .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 0080000A .text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00800043 .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 007F0FBE .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!system 77C193C7 5 Bytes JMP 007F0049 .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 007F001D .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_open 77C1F566 5 Bytes JMP 007F0FE3 .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 007F0038 .text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 007F000C .text C:\WINDOWS\system32\svchost.exe[684] WS2_32.dll!socket 71A53B91 5 Bytes JMP 007E0000 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007E0000 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007E0093 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007E0F9E .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007E0FAF .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007E0062 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007E0051 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007E00C4 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007E0F72 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007E0F35 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007E0F50 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 007E00F3 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 007E0FCA .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 007E0FDB .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 007E0F83 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 007E0036 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 007E0011 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 007E0F61 .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 007D0FCA .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 007D0087 .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 007D001B .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 007D000A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 007D006C .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 007D0047 .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 007D0FEF .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 007D0036 .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 007C0F9C .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!system 77C193C7 5 Bytes JMP 007C0027 .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 007C0FD2 .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_open 77C1F566 5 Bytes JMP 007C0FEF .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 007C0FB7 .text C:\WINDOWS\system32\svchost.exe[752] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 007C000C .text C:\WINDOWS\system32\svchost.exe[752] WS2_32.dll!socket 71A53B91 5 Bytes JMP 007B0FE5 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 04920FEF .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 04920F4B .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 04920F70 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0492004A .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 04920039 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 04920FA8 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 04920082 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 04920F3A .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 0492009D .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 04920F04 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 04920EE9 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 04920F97 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 04920014 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 0492005B .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 04920FC3 .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 04920FDE .text C:\WINDOWS\System32\svchost.exe[792] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 04920F15 .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 04910FCA .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 04910080 .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 04910025 .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 0491000A .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 04910065 .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 04910FB9 .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 04910FEF .text C:\WINDOWS\System32\svchost.exe[792] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 04910036 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 04470067 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!system 77C193C7 5 Bytes JMP 04470042 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 04470027 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!_open 77C1F566 5 Bytes JMP 04470000 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 04470FD2 .text C:\WINDOWS\System32\svchost.exe[792] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 04470FE3 .text C:\WINDOWS\System32\svchost.exe[792] WS2_32.dll!socket 71A53B91 5 Bytes JMP 04440FEF .text C:\WINDOWS\System32\svchost.exe[792] WININET.dll!InternetOpenA 771B6D2A 5 Bytes JMP 04460000 .text C:\WINDOWS\System32\svchost.exe[792] WININET.dll!InternetOpenUrlA 771B6FDD 5 Bytes JMP 0446002C .text C:\WINDOWS\System32\svchost.exe[792] WININET.dll!InternetOpenW 771C6CF3 5 Bytes JMP 04460011 .text C:\WINDOWS\System32\svchost.exe[792] WININET.dll!InternetOpenUrlW 771C7304 5 Bytes JMP 0446003D .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007A0FEF .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007A0084 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007A0073 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007A0058 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007A0047 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007A002C .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007A00BC .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007A0F74 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007A00F2 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007A0F59 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 007A0F3E .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 007A0FA5 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 007A000A .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 007A009F .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 007A001B .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 007A0FD4 .text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 007A00D7 .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00790FB9 .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00790051 .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00790FDE .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00790014 .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00790040 .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00790F9E .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00790FEF .text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00790025 .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00780FB7 .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!system 77C193C7 5 Bytes JMP 00780042 .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00780016 .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00780FEF .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00780027 .text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00780FD2 .text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!socket 71A53B91 5 Bytes JMP 00770000 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0000 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A0087 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A0F92 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A006C .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A005B .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A0FC3 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0F49 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A0F5A .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A00D8 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A00BD .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 008A0F24 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 008A004A .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 008A0FE5 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 008A0F77 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 008A0FD4 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 008A0025 .text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 008A00A2 .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00890036 .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00890FA5 .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 0089001B .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 0089000A .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00890FB6 .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00890058 .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00890FEF .text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00890047 .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00880FB2 .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!system 77C193C7 5 Bytes JMP 0088003D .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00880011 .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00880FE3 .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00880022 .text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00880000 .text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!socket 71A53B91 5 Bytes JMP 007D0FEF .text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenA 771B6D2A 5 Bytes JMP 00870FEF .text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlA 771B6FDD 5 Bytes JMP 00870FB7 .text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenW 771C6CF3 5 Bytes JMP 00870FDE .text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlW 771C7304 5 Bytes JMP 00870FA6 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 014E0000 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 014E0053 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 014E0F68 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 014E0F79 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 014E0F8A .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 014E0FB9 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 014E0081 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 014E0F39 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 014E00D2 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 014E00AD .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 014E00ED .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 014E0036 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 014E0FE5 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 014E0064 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 014E0025 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 014E0FD4 .text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 014E0092 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 01120FB7 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!system 77C193C7 5 Bytes JMP 01120FC8 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 01120038 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01120000 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 01120FE3 .text C:\WINDOWS\Explorer.EXE[1144] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 01120011 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 0113002C .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 0113006C .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 01130011 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 01130FE5 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 01130047 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 01130FA5 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 01130000 .text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 01130FC0 .text C:\WINDOWS\Explorer.EXE[1144] WININET.dll!InternetOpenA 771B6D2A 5 Bytes JMP 01110000 .text C:\WINDOWS\Explorer.EXE[1144] WININET.dll!InternetOpenUrlA 771B6FDD 5 Bytes JMP 01110FBE .text C:\WINDOWS\Explorer.EXE[1144] WININET.dll!InternetOpenW 771C6CF3 5 Bytes JMP 01110FE5 .text C:\WINDOWS\Explorer.EXE[1144] WININET.dll!InternetOpenUrlW 771C7304 5 Bytes JMP 01110011 .text C:\WINDOWS\Explorer.EXE[1144] WS2_32.dll!socket 71A53B91 5 Bytes JMP 01100000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01280000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01280080 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01280F8B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01280FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01280065 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01280FC3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 012800C2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01280F70 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 012800F5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 012800E4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01280106 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 0128004A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01280025 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 0128009B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01280FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01280FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 012800D3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 0125003D .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!system 77C193C7 5 Bytes JMP 01250FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 01250FDE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01250FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 01250FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 01250018 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 0127002C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 01270F9B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 01270FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 0127001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 01270FB6 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 01270058 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 0127000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 0127003D .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1468] WS2_32.dll!socket 71A53B91 5 Bytes JMP 01230000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00250F63 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00250F74 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250058 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0025003D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FB6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00250095 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250084 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002500C1 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002500A6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00250F03 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00250F9B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00250011 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00250073 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00250FC7 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00250022 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00250F32 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 0038003B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!system 77C193C7 5 Bytes JMP 00380FA6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00380FD2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00380000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00380FB7 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00380FE3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00390FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 0039004A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00390025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00390FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00390F8D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00390F9E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00390000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00390FC3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2136] WS2_32.dll!socket 71A53B91 5 Bytes JMP 003A0FEF ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\mfevtps.exe[1784] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405995] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\WINDOWS\system32\mfevtps.exe[1784] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0x4F 0x05 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x70 0xAD 0x40 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0xFE 0xAD 0xA7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0x4F 0x05 0xCF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x70 0xAD 0x40 0xEF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0xFE 0xAD 0xA7 ... ---- EOF - GMER 2.1 ----