GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-04 20:01:56 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: 0n234i60.exe; Driver: C:\Users\Bodzio\AppData\Local\Temp\pxdiipow.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8CE7E9BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8CE7E958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8CE7E96C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8CE7E9FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8CE7E930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8CE7E944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8CE7E9D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8CE7E9AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8CE7E996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8CE7EA2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8CE7EA12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8CE7E9E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8CE7E982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution 82434C4A 5 Bytes JMP 8CE7E9EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess 825CAAEC 3 Bytes JMP 8CE7E934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess + 4 825CAAF0 1 Byte [0A] PAGE ntoskrnl.exe!ZwProtectVirtualMemory 825FE90D 7 Bytes JMP 8CE7E9D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8260BA10 5 Bytes JMP 8CE7EA16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtMapViewOfSection 8260BD99 7 Bytes JMP 8CE7EA00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtCreateFile 826165B6 5 Bytes JMP 8CE7E9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtSetInformationProcess 82616E64 5 Bytes JMP 8CE7E99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess 8261B519 5 Bytes JMP 8CE7EA2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenThread 8261F7E1 5 Bytes JMP 8CE7E948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateUserProcess 8262DDAB 5 Bytes JMP 8CE7E986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcess 8268A841 5 Bytes JMP 8CE7E95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcessEx 8268A88C 7 Bytes JMP 8CE7E970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetContextThread 8268B347 5 Bytes JMP 8CE7E9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .sfrelocÿÿÿÿsfsync03unknown last section [0x82F44000, 0xA20, 0x40000040] C:\Windows\System32\drivers\sfsync03.sys unknown last section [0x82F44000, 0xA20, 0x40000040] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x82FBC300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x8CFF4300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 009D0F61 .text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 009D0F72 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 009D0F46 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 009D00DD .text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 009D0093 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 009D0025 .text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 009D0076 .text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 009D004A .text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 009D0F94 .text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 009D005B .text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 009D0FC3 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 009D0F83 .text C:\Windows\system32\services.exe[644] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 009D00F8 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 009D0FD4 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 009D0FE5 .text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 009D0014 .text C:\Windows\system32\services.exe[644] kernel32.dll!WinExec 7649580B 5 Bytes JMP 009D00C2 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 00A7004E .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 00A70FB6 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00A70000 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00A7003D .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 00A70069 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00A70022 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 00A70011 .text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 00A70FD1 .text C:\Windows\system32\services.exe[644] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 009C0067 .text C:\Windows\system32\services.exe[644] msvcrt.dll!system 75DD8B63 5 Bytes JMP 009C0042 .text C:\Windows\system32\services.exe[644] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 009C0FD2 .text C:\Windows\system32\services.exe[644] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 009C0FEF .text C:\Windows\system32\services.exe[644] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 009C0031 .text C:\Windows\system32\services.exe[644] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 009C000C .text C:\Windows\system32\services.exe[644] WS2_32.dll!socket 772636D1 5 Bytes JMP 00A60FEF .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 00170F37 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 0017007D .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 00170F1C .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 001700A9 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 00170051 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 00170FB9 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 00170036 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 00170025 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 00170F5C .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 00170F83 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 00170F9E .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 0017006C .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 00170F0B .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 00170000 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 00170FE5 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 00170FCA .text C:\Windows\system32\lsass.exe[656] kernel32.dll!WinExec 7649580B 5 Bytes JMP 0017008E .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 009E0087 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 009E0051 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 009E0000 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 009E006C .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 009E0FCA .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 009E002C .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 009E0011 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 009E0FDB .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 0016005D .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00160FD2 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00160027 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00160000 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00160042 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00160FE3 .text C:\Windows\system32\lsass.exe[656] WS2_32.dll!socket 772636D1 5 Bytes JMP 00180FEF .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 00170F72 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 001700B8 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 001700EE .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 001700DD .text C:\Windows\system32\svchost.exe[824] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 00170093 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 00170025 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 00170076 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 0017005B .text C:\Windows\system32\svchost.exe[824] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 00170F9E .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 00170FB9 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 00170036 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 00170F83 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 00170109 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 0017000A .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 00170FEF .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 00170FD4 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!WinExec 7649580B 5 Bytes JMP 00170F57 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00160FE3 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!system 75DD8B63 5 Bytes JMP 0016006E .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 0016002E .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 0016000C .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00160053 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 0016001D .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 00190FA8 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 00190040 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00190FEF .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00190FB9 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 0019005B .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00190014 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 00190FDE .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 00190025 .text C:\Windows\system32\svchost.exe[824] WS2_32.dll!socket 772636D1 5 Bytes JMP 00180FE5 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 008C00DA .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 008C0F94 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 008C0F39 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 008C0F5E .text C:\Windows\system32\svchost.exe[884] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 008C009A .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 008C0036 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryExW 7642374A 1 Byte [E9] .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 008C007F .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 008C0062 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 008C00B5 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 008C0FB6 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 008C0047 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 008C0FA5 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 008C0F1E .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 008C001B .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 008C000A .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 008C0FEF .text C:\Windows\system32\svchost.exe[884] kernel32.dll!WinExec 7649580B 5 Bytes JMP 008C0F79 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00520053 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00520042 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00520FE3 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00520000 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00520FD2 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 0052001D .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 009A0047 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 009A001B .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 009A0FEF .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 009A0036 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 009A0F8A .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 009A000A .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 009A0FDE .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 009A0FB9 .text C:\Windows\system32\svchost.exe[884] WS2_32.dll!socket 772636D1 5 Bytes JMP 00910000 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 008D0F30 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 008D0F55 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 008D0F0E .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 008D0F1F .text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 008D0040 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 008D0FA8 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 008D0F66 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 008D002F .text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 008D005B .text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 008D0F8D .text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 008D001E .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 008D0076 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 008D00C0 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 008D0FCA .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 008D0FEF .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 008D0FB9 .text C:\Windows\System32\svchost.exe[936] kernel32.dll!WinExec 7649580B 5 Bytes JMP 008D0091 .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 008C0036 .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!system 75DD8B63 5 Bytes JMP 008C0025 .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 008C000A .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 008C0FEF .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 008C0FAB .text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 008C0FC6 .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 0093002C .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 0093001B .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00930FEF .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00930F8A .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 0093003D .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00930FB9 .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 00930FD4 .text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 0093000A .text C:\Windows\System32\svchost.exe[936] WS2_32.dll!socket 772636D1 5 Bytes JMP 008E0000 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 018A0F21 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 018A0F3C .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 018A0F06 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 018A009D .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 018A0F4D .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 018A0FA8 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 018A001B .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 018A000A .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 018A004C .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 018A0F5E .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 018A0F83 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 018A0067 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 018A0EEB .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 018A0FD4 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 018A0FE5 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 018A0FC3 .text C:\Windows\System32\svchost.exe[1044] kernel32.dll!WinExec 7649580B 5 Bytes JMP 018A0082 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 01800047 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!system 75DD8B63 5 Bytes JMP 01800FB2 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 01800011 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 01800FE3 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 01800022 .text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 01800000 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 01900051 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 01900040 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 01900FEF .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 01900FAF .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 01900062 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 01900FD4 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 01900000 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 01900025 .text C:\Windows\System32\svchost.exe[1044] WS2_32.dll!socket 772636D1 5 Bytes JMP 018B000A .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 01440F25 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 01440F40 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 01440F00 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 01440097 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 0144005A .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 0144001B .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 0144003D .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 01440F94 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 01440F65 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 0144002C .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 01440FA5 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 01440075 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 014400BC .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 01440FE5 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 0144000A .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 01440FCA .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!WinExec 7649580B 5 Bytes JMP 01440086 .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00FF0F89 .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00FF0F9A .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00FF000A .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00FF0FE3 .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00FF0FB5 .text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00FF0FD2 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 01460FB9 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 01460051 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 01460FEF .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 01460FD4 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 01460FA8 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 01460025 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 01460014 .text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 01460040 .text C:\Windows\system32\svchost.exe[1064] WS2_32.dll!socket 772636D1 5 Bytes JMP 01450000 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 009F0F41 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 009F0087 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 009F0F12 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 009F00A9 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 009F0051 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 009F0F9E .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 009F0F77 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 009F0025 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 009F006C .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 009F0040 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 009F000A .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 009F0F52 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 009F00CE .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 009F0FD4 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 009F0FEF .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 009F0FC3 .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!WinExec 7649580B 5 Bytes JMP 009F0098 .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00170FB4 .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00170FC5 .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 0017002E .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00170000 .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 0017003F .text C:\Windows\system32\svchost.exe[1252] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 0017001D .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 00A50051 .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 00A50FC0 .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00A50FEF .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00A50FAF .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 00A50F94 .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00A50011 .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 00A50000 .text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 00A50022 .text C:\Windows\system32\svchost.exe[1252] WS2_32.dll!socket 772636D1 5 Bytes JMP 00A40FE5 .text C:\Windows\system32\svchost.exe[1252] WinInet.dll!InternetOpenA 76110A4D 5 Bytes JMP 009E0FEF .text C:\Windows\system32\svchost.exe[1252] WinInet.dll!InternetOpenUrlA 76112713 5 Bytes JMP 009E0FB9 .text C:\Windows\system32\svchost.exe[1252] WinInet.dll!InternetOpenW 761130C8 5 Bytes JMP 009E0FCA .text C:\Windows\system32\svchost.exe[1252] WinInet.dll!InternetOpenUrlW 76168515 5 Bytes JMP 009E000A .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 00FF0F52 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 00FF008E .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 00FF0F26 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 00FF00BD .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 00FF0069 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 00FF0036 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 00FF0F9B .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 00FF0047 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 00FF0F7E .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 00FF0058 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 00FF0FCA .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 00FF0F63 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 00FF00D8 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 00FF0FE5 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 00FF0000 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 00FF0025 .text C:\Windows\system32\svchost.exe[1444] kernel32.dll!WinExec 7649580B 5 Bytes JMP 00FF0F41 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00F90FA6 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00F90FB7 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00F90FE3 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00F90000 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00F90FD2 .text C:\Windows\system32\svchost.exe[1444] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00F9001D .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 01D10F94 .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 01D10FB6 .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 01D10FEF .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 01D10FA5 .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 01D10F83 .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 01D1001B .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 01D10000 .text C:\Windows\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 01D1002C .text C:\Windows\system32\svchost.exe[1444] WS2_32.dll!socket 772636D1 5 Bytes JMP 01D00FEF .text C:\Windows\Explorer.EXE[1644] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 04EF00B8 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 04EF0093 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 04EF0F43 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 04EF00DA .text C:\Windows\Explorer.EXE[1644] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 04EF0F79 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 04EF0022 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 04EF0053 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 04EF0F9B .text C:\Windows\Explorer.EXE[1644] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 04EF006E .text C:\Windows\Explorer.EXE[1644] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 04EF0F8A .text C:\Windows\Explorer.EXE[1644] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 04EF0FAC .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 04EF0F68 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 04EF00FF .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 04EF0FE5 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 04EF0000 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 04EF0011 .text C:\Windows\Explorer.EXE[1644] kernel32.dll!WinExec 7649580B 5 Bytes JMP 04EF00C9 .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 04F10F8D .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegCreateKeyA 772BB8AE 1 Byte [E9] .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 04F10FB2 .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 04F10FEF .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 04F1002F .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 04F1004A .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 04F10FDE .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 04F10014 .text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 04F10FCD .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 04E10039 .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!system 75DD8B63 5 Bytes JMP 04E10FA4 .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 04E10FC6 .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 04E10000 .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 04E10FB5 .text C:\Windows\Explorer.EXE[1644] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 04E10FE3 .text C:\Windows\Explorer.EXE[1644] WS2_32.dll!socket 772636D1 5 Bytes JMP 04F00000 .text C:\Windows\Explorer.EXE[1644] WININET.dll!InternetOpenA 76110A4D 5 Bytes JMP 04E60000 .text C:\Windows\Explorer.EXE[1644] WININET.dll!InternetOpenUrlA 76112713 5 Bytes JMP 04E60036 .text C:\Windows\Explorer.EXE[1644] WININET.dll!InternetOpenW 761130C8 5 Bytes JMP 04E6001B .text C:\Windows\Explorer.EXE[1644] WININET.dll!InternetOpenUrlW 76168515 5 Bytes JMP 04E60047 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 00330F55 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 00330F66 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 003300C0 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 00330F29 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 00330F8B .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 00330FD4 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 00330065 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 0033004A .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 00330076 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 00330FA8 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 00330FC3 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 00330087 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 003300DB .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 0033001B .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 00330000 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 00330FE5 .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!WinExec 7649580B 5 Bytes JMP 00330F44 .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00310042 .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00310FB7 .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 0031000C .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00310FEF .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00310027 .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00310FD2 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 004C0036 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 004C0025 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 004C0000 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 004C0F94 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 004C0047 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 004C0FCA .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 004C0FE5 .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 004C0FB9 .text C:\Windows\system32\svchost.exe[2132] WS2_32.dll!socket 772636D1 5 Bytes JMP 00340000 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 001E0F41 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 001E0F5C .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 001E00D8 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 001E00BD .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 001E0F8F .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 001E002C .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 001E0069 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 001E003D .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 001E0F7E .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 001E0058 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 001E0FB6 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 001E0F6D .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 001E0F26 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 001E0011 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 001E0000 .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 001E0FDB .text C:\Windows\system32\svchost.exe[2248] kernel32.dll!WinExec 7649580B 5 Bytes JMP 001E00AC .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 001D0FA6 .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!system 75DD8B63 5 Bytes JMP 001D0FC1 .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 001D0FE3 .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 001D0000 .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 001D0FD2 .text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 001D001D .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 00240062 .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 00240036 .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00240000 .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00240051 .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 0024007D .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00240FE5 .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 0024001B .text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 00240FC0 .text C:\Windows\system32\svchost.exe[2248] WS2_32.dll!socket 772636D1 5 Bytes JMP 001F0000 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 01510075 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 01510F2F .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 01510F0A .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 015100A1 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 01510F65 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 01510FC7 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 01510F80 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 01510FAC .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 01510F54 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 01510F91 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 01510033 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 01510064 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 01510EF9 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 01510011 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 01510000 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 01510022 .text C:\Windows\System32\svchost.exe[2264] kernel32.dll!WinExec 7649580B 5 Bytes JMP 01510086 .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00360FB7 .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00360042 .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00360016 .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00360FEF .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00360027 .text C:\Windows\System32\svchost.exe[2264] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00360FD2 .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 01560FCA .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 01560051 .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 01560FEF .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 01560062 .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 01560087 .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 01560025 .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 0156000A .text C:\Windows\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 01560036 .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2508] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2508] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 00A800B8 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 00A8009D .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 00A800EE .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 00A800DD .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 00A80F97 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 00A80FD4 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 00A80FA8 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 00A80FC3 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 00A80082 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 00A80065 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 00A8004A .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 00A80F72 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 00A80F3C .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 00A80014 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 00A80FEF .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 00A80025 .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!WinExec 7649580B 5 Bytes JMP 00A80F57 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 00A30038 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!system 75DD8B63 5 Bytes JMP 00A30027 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 00A30FD2 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 00A30FE3 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 00A30FB7 .text C:\Windows\system32\svchost.exe[2932] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 00A3000C .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 00E90058 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 00E90036 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 00E9000A .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 00E90047 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 00E90073 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 00E90FD4 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 00E90FE5 .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 00E90025 .text C:\Windows\system32\svchost.exe[2932] WS2_32.dll!socket 772636D1 5 Bytes JMP 00E40FEF .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!GetStartupInfoW 76401929 5 Bytes JMP 000C0F7C .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!GetStartupInfoA 764019C9 5 Bytes JMP 000C00C2 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateProcessW 76401C01 5 Bytes JMP 000C0F35 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateProcessA 76401C36 5 Bytes JMP 000C0F50 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!VirtualProtect 76401DD1 5 Bytes JMP 000C00A7 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateNamedPipeW 76405C44 5 Bytes JMP 000C002F .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!LoadLibraryExW 7642374A 5 Bytes JMP 000C0FC3 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!LoadLibraryW 7642382D 5 Bytes JMP 000C005B .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!VirtualProtectEx 76428F5E 5 Bytes JMP 000C0FB2 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!LoadLibraryExA 76429649 5 Bytes JMP 000C0080 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!LoadLibraryA 76429671 5 Bytes JMP 000C004A .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreatePipe 76430474 5 Bytes JMP 000C0F97 .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!GetProcAddress 7644BAC6 5 Bytes JMP 000C0F1A .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateFileW 7644CE4E 5 Bytes JMP 000C0FDE .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateFileA 7644D171 5 Bytes JMP 000C0FEF .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!CreateNamedPipeA 7649462E 5 Bytes JMP 000C001E .text C:\Windows\System32\svchost.exe[3024] kernel32.dll!WinExec 7649580B 5 Bytes JMP 000C0F61 .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!_wsystem 75DD8A47 5 Bytes JMP 000A0FA6 .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!system 75DD8B63 5 Bytes JMP 000A0031 .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!_creat 75DDC6F1 5 Bytes JMP 000A000C .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!_open 75DDDA7E 5 Bytes JMP 000A0FEF .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!_wcreat 75DDDC9E 5 Bytes JMP 000A0FB7 .text C:\Windows\System32\svchost.exe[3024] msvcrt.dll!_wopen 75DDDE79 5 Bytes JMP 000A0FD2 .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegCreateKeyExA 772BB5E7 5 Bytes JMP 000D0047 .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegCreateKeyA 772BB8AE 5 Bytes JMP 000D002C .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegOpenKeyA 772C0BF5 5 Bytes JMP 000D0000 .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegCreateKeyW 772CB83D 5 Bytes JMP 000D0FA5 .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegCreateKeyExW 772CBCE1 5 Bytes JMP 000D0F8A .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegOpenKeyExA 772CD4E8 5 Bytes JMP 000D0FCA .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegOpenKeyW 772D3CB0 5 Bytes JMP 000D0FE5 .text C:\Windows\System32\svchost.exe[3024] ADVAPI32.dll!RegOpenKeyExW 772DF09D 5 Bytes JMP 000D001B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74238864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74279855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7423B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7422FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74237A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7422EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7426B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7423BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74230756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742306BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742271B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [742BD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74257329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7422E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7422697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742269A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74232475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\iaStor \Device\Ide\iaStor0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\USBSTOR -> DriverStartIo \Device\0000009e B1D48A44 Device \Driver\USBSTOR \Device\0000009e B1D51B40 Device \Driver\USBSTOR \Device\0000009e sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\USBSTOR -> DriverStartIo \Device\0000009f B1D48A44 Device \Driver\USBSTOR \Device\0000009f B1D51B40 Device \Driver\USBSTOR \Device\0000009f sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\WUDFRd \Device\UMDFCtrlDev-9492119a-7e7a-11e1-a46f-fd9617a1a116 B1D7EF7E Device \FileSystem\fastfat \Fat B1D64A7A AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Mened¿er filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f36512 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f37b93 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe1f36512 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe1f37b93 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xC7 0xEB 0xB8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 9632 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 9633 ---- EOF - GMER 1.0.15 ----