GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-04 15:22:29 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: 0n234i60.exe; Driver: C:\Users\Bodzio\AppData\Local\Temp\pxdiipow.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 86C08F00 INT 0x82 ? 86C08F00 INT 0x92 ? 86C08F00 INT 0xA2 ? 851EABF8 INT 0xA2 ? 86C08F00 INT 0xA2 ? 86C08F00 INT 0xA2 ? 86C08F00 INT 0xA2 ? 851EABF8 INT 0xB2 ? 86C08F00 Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D27C9BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D27C958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D27C96C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D27C9FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D27C930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D27C944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D27C9D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D27C9AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D27C996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D27CA2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D27CA12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D27C9E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D27C982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution 82470C4A 5 Bytes JMP 8D27C9EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess 82606AEC 5 Bytes JMP 8D27C934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8263A90D 7 Bytes JMP 8D27C9D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwUnmapViewOfSection 82647A10 5 Bytes JMP 8D27CA16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtMapViewOfSection 82647D99 7 Bytes JMP 8D27CA00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtCreateFile 826525B6 5 Bytes JMP 8D27C9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtSetInformationProcess 82652E64 5 Bytes JMP 8D27C99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess 82657519 2 Bytes JMP 8D27CA2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess + 3 8265751C 2 Bytes [C2, 0A] PAGE ntoskrnl.exe!NtOpenThread 8265B7E1 5 Bytes JMP 8D27C948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateUserProcess 82669DAB 5 Bytes JMP 8D27C986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcess 826C6841 5 Bytes JMP 8D27C95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcessEx 826C688C 7 Bytes JMP 8D27C970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetContextThread 826C7347 5 Bytes JMP 8D27C9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ? System32\Drivers\spiy.sys System nie może odnaleźć określonej ścieżki. ! .sfreloc˙˙˙˙sfsync03unknown last section [0x88071000, 0xA20, 0x40000040] C:\Windows\System32\drivers\sfsync03.sys unknown last section [0x88071000, 0xA20, 0x40000040] .text USBPORT.SYS!DllUnload 8C6094CB 5 Bytes JMP 86C084E0 .text ayvvj73m.SYS 8C7B9000 22 Bytes [26, 22, 41, 82, 10, 21, 41, ...] .text ayvvj73m.SYS 8C7B9017 181 Bytes [00, 32, 87, F3, 82, 3D, 85, ...] .text ayvvj73m.SYS 8C7B90CE 10 Bytes [00, 00, 00, 00, 00, 00, 02, ...] .text ayvvj73m.SYS 8C7B90DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...] .text ayvvj73m.SYS 8C7B90E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...] .text ... .INIT C:\Windows\System32\Drivers\dfsc.sys entry point in ".INIT" section [0x8D2B2522] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xAA52B300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xAA56E300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\explorer.exe[404] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 026500B5 .text C:\Windows\explorer.exe[404] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 026500A4 .text C:\Windows\explorer.exe[404] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 02650F2F .text C:\Windows\explorer.exe[404] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 026500D0 .text C:\Windows\explorer.exe[404] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 02650053 .text C:\Windows\explorer.exe[404] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 02650036 .text C:\Windows\explorer.exe[404] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 02650F79 .text C:\Windows\explorer.exe[404] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 02650FA5 .text C:\Windows\explorer.exe[404] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 0265006E .text C:\Windows\explorer.exe[404] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 02650F94 .text C:\Windows\explorer.exe[404] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 02650FCA .text C:\Windows\explorer.exe[404] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 02650089 .text C:\Windows\explorer.exe[404] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 026500E1 .text C:\Windows\explorer.exe[404] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 02650011 .text C:\Windows\explorer.exe[404] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 02650000 .text C:\Windows\explorer.exe[404] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 02650FE5 .text C:\Windows\explorer.exe[404] kernel32.dll!WinExec 764B580B 5 Bytes JMP 02650F54 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 02670FA5 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 02670036 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 02670FEF .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 02670047 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 02670F94 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 02670FC0 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 02670000 .text C:\Windows\explorer.exe[404] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 02670011 .text C:\Windows\explorer.exe[404] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 02640FAA .text C:\Windows\explorer.exe[404] msvcrt.dll!system 76348B63 5 Bytes JMP 0264003F .text C:\Windows\explorer.exe[404] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 0264001D .text C:\Windows\explorer.exe[404] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 02640000 .text C:\Windows\explorer.exe[404] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 0264002E .text C:\Windows\explorer.exe[404] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 02640FEF .text C:\Windows\explorer.exe[404] WS2_32.dll!socket 77C536D1 5 Bytes JMP 02880FEF .text C:\Windows\explorer.exe[404] WININET.dll!InternetOpenA 765B0A4D 5 Bytes JMP 02660FEF .text C:\Windows\explorer.exe[404] WININET.dll!InternetOpenUrlA 765B2713 5 Bytes JMP 0266000A .text C:\Windows\explorer.exe[404] WININET.dll!InternetOpenW 765B30C8 5 Bytes JMP 02660FDE .text C:\Windows\explorer.exe[404] WININET.dll!InternetOpenUrlW 76608515 5 Bytes JMP 0266001B .text C:\Windows\system32\svchost.exe[488] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 000E00C1 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 000E00B0 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 000E0F4F .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 000E0F60 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 000E0FA0 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 000E0040 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 000E0084 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 000E0062 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 000E0095 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 000E0073 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 000E0051 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 000E0F7B .text C:\Windows\system32\svchost.exe[488] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 000E0F34 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 000E001B .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 000E0000 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 000E0FE5 .text C:\Windows\system32\svchost.exe[488] kernel32.dll!WinExec 764B580B 5 Bytes JMP 000E00DC .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 000D0FD4 .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!system 76348B63 5 Bytes JMP 000D005F .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 000D003A .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 000D0000 .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 000D0FEF .text C:\Windows\system32\svchost.exe[488] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 000D001D .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 001F0F83 .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 001F0025 .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 001F0000 .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 001F0F9E .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 001F0040 .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 001F0FCA .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 001F0FE5 .text C:\Windows\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 001F0FB9 .text C:\Windows\system32\svchost.exe[488] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00200FE5 .text C:\Windows\system32\services.exe[732] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00F600E4 .text C:\Windows\system32\services.exe[732] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00F60F9E .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00F60F6F .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00F60106 .text C:\Windows\system32\services.exe[732] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00F60093 .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00F60025 .text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00F60078 .text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00F60FB9 .text C:\Windows\system32\services.exe[732] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00F600A4 .text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00F60051 .text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00F60040 .text C:\Windows\system32\services.exe[732] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00F600BF .text C:\Windows\system32\services.exe[732] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00F60121 .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00F60FDE .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00F60FEF .text C:\Windows\system32\services.exe[732] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00F60014 .text C:\Windows\system32\services.exe[732] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00F600F5 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00FF0051 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00FF002C .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00FF0000 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00FF0FA5 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00FF0062 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00FF0FDB .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00FF0011 .text C:\Windows\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00FF0FCA .text C:\Windows\system32\services.exe[732] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00F50039 .text C:\Windows\system32\services.exe[732] msvcrt.dll!system 76348B63 5 Bytes JMP 00F50FA4 .text C:\Windows\system32\services.exe[732] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00F50FC6 .text C:\Windows\system32\services.exe[732] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00F50FEF .text C:\Windows\system32\services.exe[732] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00F50FB5 .text C:\Windows\system32\services.exe[732] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00F50000 .text C:\Windows\system32\services.exe[732] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01800000 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00120F21 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00120F32 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 001200A7 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00120F06 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00120F72 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00120025 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00120F83 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00120040 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00120F57 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00120F9E .text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00120FAF .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00120067 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00120EF5 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 0012000A .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00120FE5 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00120FD4 .text C:\Windows\system32\lsass.exe[744] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00120082 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00AB0051 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00AB0FAF .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00AB0000 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00AB0040 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00AB0062 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00AB0025 .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00AB0FEF .text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00AB0FCA .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00100042 .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!system 76348B63 5 Bytes JMP 00100031 .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00100FD2 .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00100FEF .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00100FC1 .text C:\Windows\system32\lsass.exe[744] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 0010000C .text C:\Windows\system32\lsass.exe[744] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00AC0FEF .text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00430F30 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00430076 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00430EF0 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00430F0B .text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00430F52 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00430FAF .text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00430F79 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00430025 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00430F41 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00430036 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00430F94 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00430051 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00430EDF .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00430FCA .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00430FEF .text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00430000 .text C:\Windows\system32\svchost.exe[964] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00430087 .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 0032004E .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!system 76348B63 5 Bytes JMP 00320FC3 .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00320FDE .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00320FEF .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 0032003D .text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00320018 .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00440FA1 .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00440FBC .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00440FEF .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00440043 .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00440054 .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00440FDE .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 0044000A .text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00440FCD .text C:\Windows\system32\svchost.exe[964] WS2_32.dll!socket 77C536D1 5 Bytes JMP 0045000A .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 002E00E4 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 002E00D3 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 002E0F68 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 002E00FF .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 002E0FA8 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 002E0039 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 002E0082 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 002E0054 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 002E00A7 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 002E0065 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 002E0FCD .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 002E00B8 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 002E011A .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 002E0014 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 002E0FEF .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 002E0FDE .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!WinExec 764B580B 5 Bytes JMP 002E0F83 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 002D0FC3 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!system 76348B63 5 Bytes JMP 002D0044 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 002D0029 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 002D000C .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 002D0FD4 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 002D0FEF .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 002F0FAF .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 002F0040 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 002F0FEF .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 002F0051 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 002F0076 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 002F0FD4 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 002F0000 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 002F0025 .text C:\Windows\system32\svchost.exe[1024] WS2_32.dll!socket 77C536D1 5 Bytes JMP 003E0FE5 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00DD00AF .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00DD0F69 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00DD0F3D .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00DD00DE .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00DD0F7A .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00DD002F .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00DD0F97 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00DD0FB9 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00DD0079 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00DD0FA8 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00DD0040 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00DD0094 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00DD0F2C .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00DD0FEF .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00DD000A .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00DD0FD4 .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00DD0F58 .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00490F95 .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!system 76348B63 5 Bytes JMP 00490020 .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00490FC1 .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00490FEF .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00490FA6 .text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00490FD2 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00DE0076 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00DE0FD4 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00DE0000 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00DE005B .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00DE0FC3 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00DE0FE5 .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00DE001B .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00DE0036 .text C:\Windows\System32\svchost.exe[1132] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00E00FEF .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 01AF0F43 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 01AF0089 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 01AF0F06 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 01AF0F21 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 01AF0056 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 01AF0FAF .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 01AF0F72 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 01AF0F9E .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 01AF0067 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 01AF0F83 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 01AF001B .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreatePipe 76450474 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 01AF0078 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 01AF00B8 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 01AF0FE5 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 01AF0000 .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 01AF0FCA .text C:\Windows\System32\svchost.exe[1216] kernel32.dll!WinExec 764B580B 5 Bytes JMP 01AF0F32 .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 01AE0FCA .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!system 76348B63 5 Bytes JMP 01AE0055 .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 01AE0FEF .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 01AE000C .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 01AE003A .text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 01AE001D .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 01B40087 .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 01B40FEF .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 01B4000A .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 01B40076 .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 01B40FD4 .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 01B40040 .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 01B4001B .text C:\Windows\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 01B40051 .text C:\Windows\System32\svchost.exe[1216] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01B50FE5 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 015600BA .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 015600A9 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 015600E9 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 01560F48 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 01560F7E .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 0156000A .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 01560062 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 01560036 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 0156007D .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 01560047 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 01560025 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 0156008E .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 01560104 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 01560FD4 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 01560FE5 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 01560FB9 .text C:\Windows\system32\svchost.exe[1240] kernel32.dll!WinExec 764B580B 5 Bytes JMP 01560F59 .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 01550033 .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!system 76348B63 5 Bytes JMP 01550022 .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 01550011 .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 01550FE3 .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 01550FBC .text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 01550000 .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 0157004A .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 01570FB9 .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 01570FEF .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 01570F9E .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 0157005B .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 0157001B .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 0157000A .text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 01570FCA .text C:\Windows\system32\svchost.exe[1240] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01580000 .text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenA 765B0A4D 5 Bytes JMP 02490FEF .text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 765B2713 5 Bytes JMP 02490FCA .text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenW 765B30C8 5 Bytes JMP 0249000A .text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 76608515 5 Bytes JMP 02490FB9 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 004200A9 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00420F6D .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00420F48 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 004200E9 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00420F99 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00420022 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 0042007D .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00420062 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00420F7E .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00420FC0 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 0042003D .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00420098 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00420F2D .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00420FE5 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00420000 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00420011 .text C:\Windows\System32\svchost.exe[1344] kernel32.dll!WinExec 764B580B 5 Bytes JMP 004200C4 .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00410081 .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!system 76348B63 5 Bytes JMP 00410066 .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 0041003A .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00410000 .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00410055 .text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00410029 .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00430F6F .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 0043001B .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00430FEF .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00430F94 .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00430F5E .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00430000 .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00430FCA .text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00430FAF .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 01680F2F .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 01680075 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 01680F14 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 016800AB .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 01680F62 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 01680FBC .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 01680F73 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 01680FAB .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 01680F51 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 01680F9A .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 01680028 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 01680F40 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 01680F03 .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 01680FDE .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 01680FEF .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 01680FCD .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!WinExec 764B580B 5 Bytes JMP 0168009A .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00170033 .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!system 76348B63 5 Bytes JMP 00170022 .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00170FCD .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00170FEF .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00170FB2 .text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00170FDE .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 01800047 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 01800FB9 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 01800000 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 01800036 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 01800058 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 01800FE5 .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 0180001B .text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 01800FCA .text C:\Windows\system32\svchost.exe[1452] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01810000 .text C:\Windows\system32\svchost.exe[1452] WinInet.dll!InternetOpenA 765B0A4D 5 Bytes JMP 01710FE5 .text C:\Windows\system32\svchost.exe[1452] WinInet.dll!InternetOpenUrlA 765B2713 5 Bytes JMP 01710FB9 .text C:\Windows\system32\svchost.exe[1452] WinInet.dll!InternetOpenW 765B30C8 5 Bytes JMP 01710FD4 .text C:\Windows\system32\svchost.exe[1452] WinInet.dll!InternetOpenUrlW 76608515 5 Bytes JMP 01710F9E .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00D80F41 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00D80087 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00D800BD .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00D800AC .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00D80F81 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00D80025 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00D8005B .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00D80040 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00D8006C .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00D80F9E .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00D80FB9 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00D80F66 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00D80F0B .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00D80FD4 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00D80FEF .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00D80014 .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00D80F30 .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00960F9C .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!system 76348B63 5 Bytes JMP 00960FAD .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 0096000C .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00960FE3 .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00960027 .text C:\Windows\system32\svchost.exe[1584] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00960FD2 .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00D90F8A .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00D90011 .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00D90FEF .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00D9002C .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00D90F6F .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00D90FAF .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00D90FD4 .text C:\Windows\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00D90000 .text C:\Windows\system32\svchost.exe[1584] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00DA0FEF .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2148] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2148] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 000900B5 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 000900A4 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 000900E8 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 000900D7 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00090078 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00090036 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00090F94 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00090FAF .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00090089 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00090051 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00090FCA .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00090F79 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00090F40 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00090011 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00090000 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00090FE5 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!WinExec 764B580B 5 Bytes JMP 000900C6 .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00020050 .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!system 76348B63 5 Bytes JMP 0002003F .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 0002001D .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00020FEF .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 0002002E .text C:\Windows\system32\svchost.exe[2424] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 0002000C .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 000A0039 .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 000A0F97 .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 000A0FEF .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 000A0028 .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 000A0F7C .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 000A0FC3 .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 000A0FDE .text C:\Windows\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 000A0FB2 .text C:\Windows\system32\svchost.exe[2424] WS2_32.dll!socket 77C536D1 5 Bytes JMP 000B0FEF .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00A60F6F .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00A60F8A .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00A60F32 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00A60F43 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00A60089 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00A60025 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00A6006E .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00A60040 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 00A6009A .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00A60051 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00A60FB9 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00A600B5 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00A600EE .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00A6000A .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00A60FEF .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00A60FD4 .text C:\Windows\system32\svchost.exe[3128] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00A60F54 .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00A40FA1 .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!system 76348B63 5 Bytes JMP 00A40FB2 .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 00A40FCD .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00A40000 .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00A4002C .text C:\Windows\system32\svchost.exe[3128] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00A40011 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00A70043 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegCreateKeyA 7694B8AE 1 Byte [E9] .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00A70FB2 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00A70FEF .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00A70F97 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 00A70054 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00A70014 .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00A70FDE .text C:\Windows\system32\svchost.exe[3128] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00A70FC3 .text C:\Windows\system32\svchost.exe[3128] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00A80000 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 00100F75 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00100F90 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 001000F1 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00100F50 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 00100FA1 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 0010002F .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 0010006F .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00100FC3 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 001000A0 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 00100FB2 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 0010004A .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 001000BB .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 00100102 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00100FDE .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00100FEF .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00100014 .text C:\Windows\System32\svchost.exe[3196] kernel32.dll!WinExec 764B580B 5 Bytes JMP 001000D6 .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 000F0027 .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!system 76348B63 5 Bytes JMP 000F0016 .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 000F0FC1 .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 000F0FEF .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 000F0FA6 .text C:\Windows\System32\svchost.exe[3196] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 000F0FD2 .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 00110F7C .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 00110014 .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 00110FEF .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 00110F8D .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 0011002F .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 00110FB9 .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 00110FCA .text C:\Windows\System32\svchost.exe[3196] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 00110FA8 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!GetStartupInfoW 76421929 5 Bytes JMP 000100BA .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!GetStartupInfoA 764219C9 5 Bytes JMP 00010F74 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateProcessW 76421C01 5 Bytes JMP 00010F23 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateProcessA 76421C36 5 Bytes JMP 00010F3E .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!VirtualProtect 76421DD1 5 Bytes JMP 0001008E .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateNamedPipeW 76425C44 5 Bytes JMP 00010040 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!LoadLibraryExW 7644374A 5 Bytes JMP 00010FB4 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!LoadLibraryW 7644382D 5 Bytes JMP 00010062 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!VirtualProtectEx 76448F5E 5 Bytes JMP 0001009F .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!LoadLibraryExA 76449649 5 Bytes JMP 0001007D .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!LoadLibraryA 76449671 5 Bytes JMP 00010051 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreatePipe 76450474 5 Bytes JMP 00010F8F .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!GetProcAddress 7646BAC6 5 Bytes JMP 000100D5 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateFileW 7646CE4E 5 Bytes JMP 00010011 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateFileA 7646D171 5 Bytes JMP 00010000 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!CreateNamedPipeA 764B462E 5 Bytes JMP 00010FE5 .text C:\Windows\system32\wuauclt.exe[4740] kernel32.dll!WinExec 764B580B 5 Bytes JMP 00010F59 .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!_wsystem 76348A47 5 Bytes JMP 00070FAD .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!system 76348B63 5 Bytes JMP 00070038 .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!_creat 7634C6F1 5 Bytes JMP 0007001D .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!_open 7634DA7E 5 Bytes JMP 00070000 .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!_wcreat 7634DC9E 5 Bytes JMP 00070FD2 .text C:\Windows\system32\wuauclt.exe[4740] msvcrt.dll!_wopen 7634DE79 5 Bytes JMP 00070FEF .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegCreateKeyExA 7694B5E7 5 Bytes JMP 000C0F7C .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegCreateKeyA 7694B8AE 1 Byte [E9] .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegCreateKeyA 7694B8AE 5 Bytes JMP 000C0FB2 .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegOpenKeyA 76950BF5 5 Bytes JMP 000C0FEF .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegCreateKeyW 7695B83D 5 Bytes JMP 000C0F97 .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegCreateKeyExW 7695BCE1 5 Bytes JMP 000C0F6B .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegOpenKeyExA 7695D4E8 5 Bytes JMP 000C0FD4 .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegOpenKeyW 76963CB0 5 Bytes JMP 000C000A .text C:\Windows\system32\wuauclt.exe[4740] ADVAPI32.dll!RegOpenKeyExW 7696F09D 5 Bytes JMP 000C0FC3 .text C:\Program Files\Mozilla Firefox\firefox.exe[5472] ntdll.dll!LdrLoadDll 77AA79B3 5 Bytes JMP 66F464D0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5472] CRYPT32.dll!CertFreeCertificateChain + 1E2 75C47E76 7 Bytes JMP 35675697 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5472] CRYPT32.dll!CryptDecodeObject + 1E7 75C4BD9C 7 Bytes JMP 35675637 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!GetWindowInfo 76800560 5 Bytes JMP 670C142A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!SetWindowLongA 76800736 5 Bytes JMP 67330A32 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!SetWindowLongW 76801F35 5 Bytes JMP 673309C4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!TrackPopupMenu 76811417 3 Bytes JMP 670C19DE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!TrackPopupMenu + 4 7681141B 1 Byte [F0] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8484F2D8 IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [82E5EC4C] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [82E5ECA0] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82E2E6D6] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82E2E042] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82E2E800] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82E2E0C0] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82E2E13E] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 848502D8 IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86C085E0 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82E3DE9C] \SystemRoot\System32\Drivers\spiy.sys IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortNotification] CC358B04 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortWritePortUchar] 838C7DEF IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 100D8BA5 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8C7DC0 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortStallExecution] 54771129 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortInitialize] B18D0502 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8 IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D IAT \SystemRoot\System32\Drivers\ayvvj73m.SYS[NTOSKRNL.exe!KeTickCount] 8B118920 IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 86BA12D8 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74A58864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74A99855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [74A5B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74A4FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74A57A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74A4EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A8B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [74A5BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74A50756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74A506BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74A471B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [74ADD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [74A77329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74A4E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74A4697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74A469A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74A52475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 851EC1F8 AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\fastfat \FatCdrom 85CE0500 Device \Driver\netbt \Device\NetBT_Tcpip_{BA35EED2-8E4B-4675-8F23-C3BFB7E3CA8B} 87450460 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 851E81F8 Device \Driver\usbuhci \Device\USBPDO-0 86B3E1F8 Device \Driver\usbuhci \Device\USBPDO-1 86B3E1F8 Device \Driver\usbuhci \Device\USBPDO-2 86B3E1F8 Device \Driver\usbehci \Device\USBPDO-3 86B341F8 Device \Driver\usbuhci \Device\USBPDO-4 86B3E1F8 AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\usbuhci \Device\USBPDO-5 86B3E1F8 Device \Driver\usbuhci \Device\USBPDO-6 86B3E1F8 Device \Driver\volmgr \Device\HarddiskVolume1 851E81F8 Device \Driver\usbehci \Device\USBPDO-7 86B341F8 Device \Driver\volmgr \Device\HarddiskVolume2 851E81F8 Device \Driver\cdrom \Device\CdRom0 86B4D1F8 Device \Driver\iaStor \Device\Ide\iaStor0 [880B97B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [880B97B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [880B97B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\volmgr \Device\HarddiskVolume3 851E81F8 Device \Driver\cdrom \Device\CdRom1 86B4D1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{575A44F0-B1A6-4387-8C0E-EEE577BAA1DB} 87450460 Device \Driver\netbt \Device\NetBt_Wins_Export 87450460 Device \Driver\Smb \Device\NetbiosSmb 874F31F8 Device \Driver\iScsiPrt \Device\RaidPort0 86BA81F8 AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\usbuhci \Device\USBFDO-0 86B3E1F8 Device \Driver\PCI_PNP2737 \Device\0000007a spiy.sys Device \Driver\usbuhci \Device\USBFDO-1 86B3E1F8 Device \Driver\usbuhci \Device\USBFDO-2 86B3E1F8 Device \Driver\sptd \Device\2269738753 spiy.sys Device \Driver\usbehci \Device\USBFDO-3 86B341F8 Device \Driver\usbuhci \Device\USBFDO-4 86B3E1F8 Device \Driver\usbuhci \Device\USBFDO-5 86B3E1F8 Device \Driver\usbuhci \Device\USBFDO-6 86B3E1F8 Device \Driver\usbehci \Device\USBFDO-7 86B341F8 Device \Driver\ayvvj73m \Device\Scsi\ayvvj73m1 86B3F1F8 Device \Driver\ayvvj73m \Device\Scsi\ayvvj73m1 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\ayvvj73m \Device\Scsi\ayvvj73m1Port2Path0Target0Lun0 86B3F1F8 Device \Driver\ayvvj73m \Device\Scsi\ayvvj73m1Port2Path0Target0Lun0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \FileSystem\fastfat \Fat 85CE0500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\cdfs \Cdfs AD7471F8 ---- Threads - GMER 1.0.15 ---- Thread System [4:496] 87697540 Thread System [4:500] 87697540 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f36512 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f37b93 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x61 0xB4 0x83 0xC8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x31 0x9B 0x88 0xAB ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f36512 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f37b93 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x61 0xB4 0x83 0xC8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x31 0x9B 0x88 0xAB ... ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB9041$\1400861168 0 bytes File C:\Windows\$NtUninstallKB9041$\411354154 0 bytes File C:\Windows\$NtUninstallKB9041$\411354154\@ 2048 bytes File C:\Windows\$NtUninstallKB9041$\411354154\L 0 bytes File C:\Windows\$NtUninstallKB9041$\411354154\L\ogejidap 75264 bytes File C:\Windows\$NtUninstallKB9041$\411354154\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U 0 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@000000cb 704 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@80000000 73728 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@800000c0 43008 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB9041$\411354154\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----