GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-04 17:58:06 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: 0n234i60.exe; Driver: C:\Users\Bodzio\AppData\Local\Temp\pxdiipow.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D2859BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D285958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D28596C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D2859FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D285930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D285944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D2859D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D2859AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D285996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D285A2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D285A12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D2859E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D285982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution 82446C4A 5 Bytes JMP 8D2859EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess 825DCAEC 5 Bytes JMP 8D285934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8261090D 7 Bytes JMP 8D2859D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8261DA10 5 Bytes JMP 8D285A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtMapViewOfSection 8261DD99 7 Bytes JMP 8D285A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtCreateFile 826285B6 5 Bytes JMP 8D2859C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtSetInformationProcess 82628E64 5 Bytes JMP 8D28599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess 8262D519 5 Bytes JMP 8D285A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenThread 826317E1 5 Bytes JMP 8D285948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateUserProcess 8263FDAB 5 Bytes JMP 8D285986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcess 8269C841 5 Bytes JMP 8D28595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcessEx 8269C88C 7 Bytes JMP 8D285970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetContextThread 8269D347 5 Bytes JMP 8D2859AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .sfrelocÿÿÿÿsfsync03unknown last section [0x82F40000, 0xA20, 0x40000040] C:\Windows\System32\drivers\sfsync03.sys unknown last section [0x82F40000, 0xA20, 0x40000040] .INIT C:\Windows\System32\Drivers\dfsc.sys entry point in ".INIT" section [0x8D2AC522] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x82F90300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x8D000300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\services.exe[600] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00A100A5 .text C:\Windows\system32\services.exe[600] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00A10F69 .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00A10F3A .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00A100C7 .text C:\Windows\system32\services.exe[600] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00A10F8B .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00A1002F .text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00A10FB2 .text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00A1004A .text C:\Windows\system32\services.exe[600] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00A10F7A .text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00A10065 .text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00A10FC3 .text C:\Windows\system32\services.exe[600] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00A10094 .text C:\Windows\system32\services.exe[600] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00A100EC .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00A10FDE .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00A10FEF .text C:\Windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00A10014 .text C:\Windows\system32\services.exe[600] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00A100B6 .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 007D0F83 .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 007D0025 .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 007D0FE5 .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 007D0F9E .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 007D004A .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 007D0FCA .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 007D0000 .text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 007D0FB9 .text C:\Windows\system32\services.exe[600] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00A20036 .text C:\Windows\system32\services.exe[600] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00A20FAB .text C:\Windows\system32\services.exe[600] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00A20011 .text C:\Windows\system32\services.exe[600] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00A20FEF .text C:\Windows\system32\services.exe[600] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00A20FBC .text C:\Windows\system32\services.exe[600] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00A20000 .text C:\Windows\system32\services.exe[600] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00A00FEF .text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00EC0076 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00EC0051 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00EC00A2 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00EC0F0B .text C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00EC0F4B .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00EC0FAF .text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00EC002F .text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00EC0F83 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00EC0F3A .text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00EC0F72 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00EC0F9E .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00EC0040 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00EC0EF0 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00EC0FCA .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00EC0FE5 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00EC0000 .text C:\Windows\system32\lsass.exe[612] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00EC0087 .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 0083006C .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00830036 .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00830000 .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00830047 .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 0083007D .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00830FDB .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00830011 .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00830FCA .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00ED0053 .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00ED0FBE .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00ED0FE3 .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00ED0000 .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00ED0038 .text C:\Windows\system32\lsass.exe[612] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00ED001D .text C:\Windows\system32\lsass.exe[612] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00CA0FEF .text C:\Windows\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 006C00D3 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 006C00B8 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 006C0F43 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 006C00E4 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 006C0082 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 006C0FB9 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 006C0067 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 006C004A .text C:\Windows\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 006C0093 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 006C0F9E .text C:\Windows\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 006C0025 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 006C0F8D .text C:\Windows\system32\svchost.exe[820] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 006C00F5 .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 006C0FDE .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 006C0FEF .text C:\Windows\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 006C000A .text C:\Windows\system32\svchost.exe[820] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 006C0F72 .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 006D0FB2 .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!system 76FB8B63 5 Bytes JMP 006D0FCD .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 006D0FDE .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 006D000C .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 006D003D .text C:\Windows\system32\svchost.exe[820] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 006D0FEF .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 006A0F94 .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 006A001B .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 006A0FE5 .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 006A0036 .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 006A0F83 .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 006A0FCA .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 006A000A .text C:\Windows\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 006A0FB9 .text C:\Windows\system32\svchost.exe[820] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 006B0FEF .text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 000800E1 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00080F9B .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00080F6C .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00080103 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00080090 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 0008002C .text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryExW 76C2374A 1 Byte [E9] .text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 0008007F .text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00080FC0 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 000800AB .text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00080062 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 0008003D .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 000800C6 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00080F5B .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00080FE5 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00080000 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 0008001B .text C:\Windows\system32\svchost.exe[828] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 000800F2 .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00090036 .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00090FAB .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 0009000A .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00090FEF .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00090025 .text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00090FC6 .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 0006005B .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00060025 .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00060FEF .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00060040 .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00060080 .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 0006000A .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00060FD4 .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00060FB9 .text C:\Windows\system32\svchost.exe[828] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00070FEF .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00910F26 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00910F37 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00910EE6 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 0091007D .text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00910F6D .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00910FB9 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00910047 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00910025 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 76C28F5E 1 Byte [E9] .text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00910062 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00910036 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00910FA8 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00910F52 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00910ED5 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00910FDE .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00910FEF .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 0091000A .text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00910F01 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00920042 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00920FB7 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00920FE3 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 0092000C .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00920FC8 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 0092001D .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00820F6B .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00820F97 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00820FEF .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00820F86 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00820032 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00820FC3 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00820FDE .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00820FB2 .text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 008C0000 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00680F41 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 0068007D .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 006800CE .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 006800B3 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00680051 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00680000 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00680040 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00680F8D .text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 0068006C .text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 0068002F .text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00680F9E .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00680F52 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00680F12 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00680FD4 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00680FE5 .text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00680FAF .text C:\Windows\System32\svchost.exe[912] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 006800A2 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00E60027 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00E60FA6 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00E60FC8 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00E60000 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00E60FB7 .text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00E60FEF .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00660040 .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 0066002F .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00660FEF .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00660FA8 .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00660051 .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00660FD4 .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00660000 .text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00660FC3 .text C:\Windows\System32\svchost.exe[912] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00670FEF .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00E90F63 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00E900A9 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00E90F23 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00E900BA .text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00E90F92 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00E90FE5 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00E9006C .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00E90FAF .text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00E90087 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00E90051 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00E90FD4 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00E90098 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00E90F12 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00E9001B .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00E9000A .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00E90036 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00E90F3E .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00EA0055 .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00EA0FCA .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00EA0029 .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00EA0FEF .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00EA003A .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00EA000C .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00E70040 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00E70025 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00E70FEF .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00E70F9E .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00E70F83 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00E70FCA .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00E70000 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00E70FB9 .text C:\Windows\System32\svchost.exe[988] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00E80000 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00FF00F3 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00FF0FAD .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00FF011F .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00FF010E .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00FF00A2 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00FF002C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00FF0FCA .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00FF0062 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00FF00BD .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00FF007D .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00FF0047 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00FF00D8 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00FF0F77 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00FF001B .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00FF0000 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00FF0FE5 .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00FF0F9C .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 01500F9A .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!system 76FB8B63 5 Bytes JMP 01500025 .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 0150000A .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 01500FEF .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 01500FB5 .text C:\Windows\system32\svchost.exe[1028] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 01500FC6 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00F10FA5 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00F10036 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00F10FEF .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00F10051 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00F10F94 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00F10025 .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00F1000A .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00F10FCA .text C:\Windows\system32\svchost.exe[1028] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00FE000A .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 01550F44 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 01550F5F .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 01550F22 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 015500B9 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 01550080 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 0155002F .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 01550FB2 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 01550054 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 01550F8B .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 01550065 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 01550FC3 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 01550F7A .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 01550EFD .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 01550FD4 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 01550FEF .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 76C9462E 3 Bytes JMP 01550014 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA + 4 76C94632 1 Byte [8A] .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!WinExec 76C9580B 3 Bytes JMP 01550F33 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!WinExec + 4 76C9580F 1 Byte [8A] .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 01560027 .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!system 76FB8B63 5 Bytes JMP 01560FA6 .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 01560FC8 .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 01560FE3 .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 01560FB7 .text C:\Windows\System32\svchost.exe[1084] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 01560000 .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 0154005B .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 01540FB9 .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 0154000A .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 01540040 .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 01540F9E .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 01540FD4 .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 01540FEF .text C:\Windows\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 01540025 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00E400E1 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00E400C6 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00E4010D .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00E400F2 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00E40F9B .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00E4001B .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00E40075 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00E40047 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00E40090 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00E40058 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00E4002C .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00E400AB .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00E40128 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00E40FE5 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00E40000 .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00E40FCA .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00E40F80 .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00EA005D .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00EA0038 .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00EA0FD2 .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00EA0FEF .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00EA0027 .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00EA0000 .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00700FAF .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00700FC0 .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00700FEF .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00700051 .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00700062 .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 0070001B .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 0070000A .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 0070002C .text C:\Windows\system32\svchost.exe[1208] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00CF0000 .text C:\Windows\system32\svchost.exe[1208] WinInet.dll!InternetOpenA 76CF0A4D 5 Bytes JMP 00E50FEF .text C:\Windows\system32\svchost.exe[1208] WinInet.dll!InternetOpenUrlA 76CF2713 5 Bytes JMP 00E50FDE .text C:\Windows\system32\svchost.exe[1208] WinInet.dll!InternetOpenW 76CF30C8 5 Bytes JMP 00E5000A .text C:\Windows\system32\svchost.exe[1208] WinInet.dll!InternetOpenUrlW 76D48515 5 Bytes JMP 00E50FCD .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00E200BD .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00E200A2 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00E200E9 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00E200D8 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00E20F81 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00E20025 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00E20F9E .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00E20FB9 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00E20076 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00E2005B .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00E20036 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00E20087 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00E20104 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00E20FD4 .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00E20FEF .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00E2000A .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00E20F5C .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00E3005A .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00E30049 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00E3002E .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00E30000 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00E30FD9 .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00E3001D .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00D7004A .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00D7002F .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00D70FE5 .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00D70FA8 .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00D7006F .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00D7000A .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00D70FCA .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00D70FB9 .text C:\Windows\system32\svchost.exe[1372] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00DD000A .text C:\Windows\Explorer.EXE[1628] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 02F30F6D .text C:\Windows\Explorer.EXE[1628] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 02F300BD .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 02F30F3A .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 02F30F4B .text C:\Windows\Explorer.EXE[1628] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 02F30FA3 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 02F30022 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 02F3007D .text C:\Windows\Explorer.EXE[1628] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 02F30062 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 02F30F92 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 02F30FC0 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 02F30047 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 02F300A2 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 02F300E2 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 02F30011 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 02F30000 .text C:\Windows\Explorer.EXE[1628] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 02F30FDB .text C:\Windows\Explorer.EXE[1628] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 02F30F5C .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00D5004A .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00D5001E .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00D50FE5 .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00D5002F .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00D50F8D .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00D50FC3 .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00D50FD4 .text C:\Windows\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00D50FB2 .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 02F50051 .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!system 76FB8B63 5 Bytes JMP 02F5002C .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 02F50000 .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 02F50FEF .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 02F50011 .text C:\Windows\Explorer.EXE[1628] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 02F50FC6 .text C:\Windows\Explorer.EXE[1628] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 02F20000 .text C:\Windows\Explorer.EXE[1628] WININET.dll!InternetOpenA 76CF0A4D 5 Bytes JMP 02F40FEF .text C:\Windows\Explorer.EXE[1628] WININET.dll!InternetOpenUrlA 76CF2713 5 Bytes JMP 02F40025 .text C:\Windows\Explorer.EXE[1628] WININET.dll!InternetOpenW 76CF30C8 5 Bytes JMP 02F4000A .text C:\Windows\Explorer.EXE[1628] WININET.dll!InternetOpenUrlW 76D48515 5 Bytes JMP 02F40036 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 001B00AC .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 001B0091 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 001B0F1C .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 001B00BD .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 001B0076 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 001B0025 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 001B005B .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 001B0040 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 001B0F81 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 001B0F9E .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 001B0FC3 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 001B0F66 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 001B00CE .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 001B0FDE .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 001B0FEF .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 001B0014 .text C:\Windows\system32\svchost.exe[2104] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 001B0F41 .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00600042 .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00600FB7 .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 0060000C .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00600FE3 .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 0060001D .text C:\Windows\system32\svchost.exe[2104] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00600FD2 .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 0008004E .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 0008002C .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00080FE5 .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 0008003D .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00080F91 .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00080FCA .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00080000 .text C:\Windows\system32\svchost.exe[2104] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 0008001B .text C:\Windows\system32\svchost.exe[2104] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 001A0000 .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2444] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2444] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00D00076 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00D00F26 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 00D000A2 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00D00087 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00D00F5C .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00D00FAF .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00D00F6D .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00D00025 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00D00F41 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00D00036 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00D00F94 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00D00051 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 00D000B3 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00D0000A .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00D00FEF .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00D00FD4 .text C:\Windows\system32\svchost.exe[3036] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00D00F15 .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00D10062 .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00D10FCD .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00D10018 .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00D10FEF .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00D10033 .text C:\Windows\system32\svchost.exe[3036] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00D10FDE .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00820040 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 0082002F .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00820FE5 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00820FA8 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00820F83 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 00820FC3 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 00820FD4 .text C:\Windows\system32\svchost.exe[3036] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00820014 .text C:\Windows\system32\svchost.exe[3036] WS2_32.dll!socket 75EC36D1 5 Bytes JMP 00CF0FEF .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00100F3D .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00100F58 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 001000B9 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 0010009E .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 0010006F .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00100025 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00100F8B .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 0010004A .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00100F7A .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00100FA8 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00100FC3 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00100F69 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 001000D4 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 0010000A .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00100FEF .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00100FD4 .text C:\Windows\System32\svchost.exe[3116] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 00100F22 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00110058 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!system 76FB8B63 5 Bytes JMP 00110033 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00110011 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00110000 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00110022 .text C:\Windows\System32\svchost.exe[3116] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00110FD7 .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 000F0FB2 .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 000F0039 .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 000F0FEF .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 000F0054 .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 000F0079 .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 000F0FCD .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 000F0FDE .text C:\Windows\System32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 000F001E .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!GetStartupInfoW 76C01929 5 Bytes JMP 00010054 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!GetStartupInfoA 76C019C9 5 Bytes JMP 00010F0E .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateProcessW 76C01C01 5 Bytes JMP 0001008A .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateProcessA 76C01C36 5 Bytes JMP 00010EF3 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!VirtualProtect 76C01DD1 5 Bytes JMP 00010039 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateNamedPipeW 76C05C44 5 Bytes JMP 00010FB2 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!LoadLibraryExW 76C2374A 5 Bytes JMP 00010028 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!LoadLibraryW 76C2382D 5 Bytes JMP 00010F86 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!VirtualProtectEx 76C28F5E 5 Bytes JMP 00010F3A .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!LoadLibraryExA 76C29649 5 Bytes JMP 00010F6B .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!LoadLibraryA 76C29671 5 Bytes JMP 00010FA1 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreatePipe 76C30474 5 Bytes JMP 00010F29 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!GetProcAddress 76C4BAC6 5 Bytes JMP 000100A5 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateFileW 76C4CE4E 5 Bytes JMP 00010FDE .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateFileA 76C4D171 5 Bytes JMP 00010FEF .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!CreateNamedPipeA 76C9462E 5 Bytes JMP 00010FC3 .text C:\Windows\system32\wuauclt.exe[4956] kernel32.dll!WinExec 76C9580B 5 Bytes JMP 0001006F .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!_wsystem 76FB8A47 5 Bytes JMP 00060058 .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!system 76FB8B63 5 Bytes JMP 0006003D .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!_creat 76FBC6F1 5 Bytes JMP 00060022 .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!_open 76FBDA7E 5 Bytes JMP 00060000 .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!_wcreat 76FBDC9E 5 Bytes JMP 00060FCD .text C:\Windows\system32\wuauclt.exe[4956] msvcrt.dll!_wopen 76FBDE79 5 Bytes JMP 00060011 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegCreateKeyExA 759EB5E7 5 Bytes JMP 00070062 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegCreateKeyA 759EB8AE 5 Bytes JMP 00070047 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegOpenKeyA 759F0BF5 5 Bytes JMP 00070000 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegCreateKeyW 759FB83D 5 Bytes JMP 00070FC0 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegCreateKeyExW 759FBCE1 5 Bytes JMP 00070073 .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegOpenKeyExA 759FD4E8 5 Bytes JMP 0007002C .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegOpenKeyW 75A03CB0 5 Bytes JMP 0007001B .text C:\Windows\system32\wuauclt.exe[4956] ADVAPI32.dll!RegOpenKeyExW 75A0F09D 5 Bytes JMP 00070FDB .text C:\Windows\system32\wuauclt.exe[4956] WININET.dll!InternetOpenA 76CF0A4D 5 Bytes JMP 008C0FE5 .text C:\Windows\system32\wuauclt.exe[4956] WININET.dll!InternetOpenUrlA 76CF2713 5 Bytes JMP 008C0011 .text C:\Windows\system32\wuauclt.exe[4956] WININET.dll!InternetOpenW 76CF30C8 5 Bytes JMP 008C0000 .text C:\Windows\system32\wuauclt.exe[4956] WININET.dll!InternetOpenUrlW 76D48515 5 Bytes JMP 008C002C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741B8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741F9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741BB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741AFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741B7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741AEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741EB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [741BBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741B0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741B06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741A71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7423D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [741D7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741AE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741A697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741A69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741B2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\iaStor \Device\Ide\iaStor0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\00000709 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 870E6B80 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f36512 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f37b93 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f36512 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f37b93 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... ---- EOF - GMER 1.0.15 ----