Newbie
Hi, my search results on google and yahoo are being redirected, seems like the same problem a lot of people are having on here...also my comp. has been running slow lately....attached is my HijackThis log and uninstall log...thanks for the help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:04 PM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.ex e
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10745 bytes
Senior Member
Which browser is getting redirected?
Newbie
Thanks for getting back to me...google chrome and firefox, i havent tried IE because i do not have the most recent version...i have found they are redirecting on google and yahoo searches...also, tried booting in safe mode and it hangs at mup.dll
Senior Member
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
************************************************** ****************************************
Due to a bug in Malwarebytes, you may see in MBAM's log following entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a tapi (Rootkit)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\a tapi (Rootkit)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\atapi (Rootkit)
DO NOT remove those entries!
If you do, your computer will become UN-bootable.
The issue has been fixed in the latest MBAM update, so, it's EXTREMELY important, you update MBAM before you run it.
************************************************** **************************************
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15279 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
RESTART COMPUTER
STEP 4.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Newbie
Hi, like I mentioned my computer will not boot in safe mode, i think due to a power supply problem, should I run superantispyware in normal windows mode?
thanks
Senior Member
Go ahead...
Newbie
Here are my logs for SUPERantispyware, Malwarebytes, GMER and Hijackthis respectively....
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 12/15/2009 at 02:59 AM
Application Version : 4.31.1000
Core Rules Database Version : 4373
Trace Rules Database Version: 2214
Scan type : Complete Scan
Total Scan Time : 04:52:18
Memory items scanned : 569
Memory threats detected : 0
Registry items scanned : 6237
Registry threats detected : 0
File items scanned : 86746
File threats detected : 0
Malwarebytes' Anti-Malware 1.42
Database version: 3364
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
12/15/2009 2:02:54 PM
mbam-log-2009-12-15 (14-02-54).txt
Scan type: Full Scan (C:\|)
Objects scanned: 207390
Time elapsed: 3 hour(s), 31 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-12-15 17:59:28
Windows 5.1.2600 Service Pack 3
Running: 00celw48.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\pxtdypow.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB261F78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB261F821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB261F738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB261F74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB261F835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB261F861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB261F8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB261F8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB261F7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB261F8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB261F80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB261F710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB261F724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB261F79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB261F937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB261F8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB261F88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB261F84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB261F923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB261F90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB261F776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB261F762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB261F877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB261F7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB261F8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB261F7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB261F7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP B261F7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP B261F78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP B261F7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP B261F7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP B261F7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1324 5 Bytes JMP B261F714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15B0 5 Bytes JMP B261F728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE2 5 Bytes JMP B261F766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP B261F750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP B261F73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B8 5 Bytes JMP B261F77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP B261F7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061856A 7 Bytes JMP B261F891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP B261F87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE2 7 Bytes JMP B261F8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619480 7 Bytes JMP B261F8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP B261F84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 3 Bytes JMP B261F825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey + 4 8061A336 1 Byte [32]
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP B261F839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP B261F865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB72 7 Bytes JMP B261F8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADDC 7 Bytes JMP B261F8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 3 Bytes JMP B261F811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey + 4 8061B708 1 Byte [32]
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA2A 7 Bytes JMP B261F93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCEA 5 Bytes JMP B261F913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3DE 5 Bytes JMP B261F927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4F8 5 Bytes JMP B261F8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF745C7A4]
---- User code sections - GMER 1.0.15 ----
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01110F44
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01110F55
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0111002F
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01110F72
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01110F9E
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0111007B
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0111006A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011100C2
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011100B1
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01110F04
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01110F83
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01110FD4
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01110F33
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0111000A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 3 Bytes JMP 01110FB9
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateNamedPipeA + 4 7C860CE0 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01110096
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01100040
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01100087
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0110001B
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01100FE5
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01100076
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0110005B
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01100FD4
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010F0FC1
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 010F004C
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010F0016
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010F0031
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010F0FD2
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 010E0025
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 010E0042
.text C:\WINDOWS\system32\services.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F63
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F74
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50058
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50FA5
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F48
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50084
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50EF7
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F12
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50EE6
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50073
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FD1
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F23
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D4002F
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40F72
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40F83
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88]
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40F9E
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30031
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FA6
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FD2
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FC1
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FE3
.text C:\WINDOWS\system32\lsass.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00CE0FAD
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00CE0F92
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F6B
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0060
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0043
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F86
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC001E
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0085
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F3D
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00C5
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F22
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0F11
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0F97
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FB2
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC00A0
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0025
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0091
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0014
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0FDE
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB006C
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0040
.text C:\WINDOWS\system32\svchost.exe[880] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 024F000A
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA005A
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0FC5
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA002E
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA003F
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[880] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[880] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[880] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[880] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F48
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F63
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F74
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E8003D
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80022
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F06
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F21
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E8008E
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80EF5
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E800A9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80F9B
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80FDB
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80058
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80073
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FC0
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E7003D
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E70FDB
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E70F8A
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [07, 89]
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70FA5
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60027
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60F9C
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FD2
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FAD
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60FE3
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00E50FC8
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00E50FB7
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022A0000
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022A0F77
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022A006C
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022A0F9E
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022A0FAF
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022A0FC0
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022A00AE
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022A0F5C
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022A0F41
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022A00D0
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022A00FF
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022A0051
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022A001B
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022A0087
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022A0036
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022A0FE5
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022A00BF
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02290FCA
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02290F80
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02290FDB
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02290011
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0229003D
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02290000
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0229002C
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02290FAF
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02280F9C
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 02280027
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02280FD2
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02280FEF
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02280FAD
.text C:\WINDOWS\System32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0228000C
.text C:\WINDOWS\System32\svchost.exe[1044] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 0227001B
.text C:\WINDOWS\System32\svchost.exe[1044] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 02270000
.text C:\WINDOWS\System32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 02270FE5
.text C:\WINDOWS\System32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 02270FD4
.text C:\WINDOWS\System32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F70FEF
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008B00A4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008B0093
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008B0FAF
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008B006C
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008B0F70
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008B0F81
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008B00E4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008B0F55
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008B00F5
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008B0FD4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008B0F9E
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008B0051
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008B0036
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008B00D3
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008A005B
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008A004A
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008A0039
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008A0FB2
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780FC3
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780058
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0078000C
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0078003D
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0076007D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760062
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00760051
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760F94
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760F52
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760F6D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007600D0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760F37
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007600E1
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760098
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FB9
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007600B5
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00710014
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00710F72
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00710FC3
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00710FD4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00710025
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00710FE5
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00710F83
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [91, 88]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00710FA8
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00700F8B
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00700FA6
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00700FC1
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00700016
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00700FD2
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 006F0011
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 006F0FCA
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02900FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0290004A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02900F55
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02900F70
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02900F8D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02900F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02900F29
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02900F3A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02900ED8
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02900EF3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0290008C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0290002F
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0290000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0290005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02900FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02900FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02900F0E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 028F0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 028F0076
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 028F001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 028F0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 028F0FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 028F0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 028F0047
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 028F0036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 028E0FA1
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 028E0036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 028E0FBC
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 028E0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 028E0011
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 028E0FD7
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 028D0FDB
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 028D0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 028D0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 028D0027
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028C0000
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690000
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690F61
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690F7C
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690F8D
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01690040
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01690F9E
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0169009D
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0169008C
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01690F1F
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690F3A
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016900D3
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690025
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01690FEF
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0169007B
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01690FAF
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01690FCA
.text C:\WINDOWS\Explorer.EXE[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016900B8
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01680039
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01680F97
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01680FDE
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01680FEF
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01680FB2
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0168000A
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01680FCD
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 89]
.text C:\WINDOWS\Explorer.EXE[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01680054
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01670F8B
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 01670FA6
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01670FC8
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01670FE3
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01670FB7
.text C:\WINDOWS\Explorer.EXE[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01670000
.text C:\WINDOWS\Explorer.EXE[1532] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\Explorer.EXE[1532] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\Explorer.EXE[1532] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00FF000C
.text C:\WINDOWS\Explorer.EXE[1532] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00FF001D
.text C:\WINDOWS\Explorer.EXE[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006B008C
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006B0F97
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006B0FA8
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006B0065
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006B002F
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006B00D5
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006B00C4
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006B0F4D
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006B00E6
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006B0F32
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006B004A
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006B0FD4
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006B009D
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006B001E
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006B0FC3
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006B0F72
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680025
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00680054
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680FCA
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680000
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00680F8D
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00680F9E
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 88]
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670F97
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00670FB2
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FCD
.text C:\WINDOWS\system32\svchost.exe[1964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670018
.text C:\WINDOWS\system32\svchost.exe[1964] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00660FDE
.text C:\WINDOWS\system32\svchost.exe[1964] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1964] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00660FCD
.text C:\WINDOWS\system32\svchost.exe[1964] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00660020
.text C:\WINDOWS\system32\svchost.exe[1964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760F6D
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760062
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00760F88
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760FA5
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760FB6
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760098
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760F5C
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00760F21
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007600C4
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007600D5
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760047
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0076007D
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0076002C
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[2156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007600A9
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FC0
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F79
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F94
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C002C
.text C:\WINDOWS\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FA5
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0033
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FA8
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FDE
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FC3
.text C:\WINDOWS\system32\svchost.exe[2156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[2156] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\system32\svchost.exe[2156] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[2156] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 006A0FB7
.text C:\WINDOWS\system32\svchost.exe[2156] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 006A0FA6
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \FileSystem\Fastfat \Fat AF346D20
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EC2618
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \OptionalComponents\MSFS@Installed 1
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:28 PM, on 12/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.ex e
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10804 bytes
Senior Member
1. Please download The Avenger to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the Avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code:Begin copying here: Files to move: C:\WINDOWS\system32\dllcache\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command windowon your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
Newbie
After running the script and pre-reboot McAfee gave me a warning that said a trojan was found and deleted, in C:\cleanup.exe
After the reboot, an error message appeared saying that C:\cleanup.exe cannot be found etc...
I have a feeling this is part of the script, should i disable mcafee or add something to the allow list so this script can run?
Senior Member
Disable McAfee, or run the script in Safe Mode.
