Thank you for your help. I hope I've done this correctly.
DDS.txt – Notepad
DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 7:51:10.39 on Wed 02/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.371 [GMT -8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
============== Running Processes ===============
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\WINDOWS\system32\igfxtray.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Documents and Settings\Administrator\Application Data\Smilebox\SmileboxTray.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\eFax Messenger 4.3\J2GTray.exe
F:\Program Files\j2 Messenger 4.2\J2GTray.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\WINDOWS\system32\cisvc.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\PROGRA~1\AVG\AVG8\avgnsx.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\system32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\mqsvc.exe
F:\WINDOWS\system32\mqtgsvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\dllhost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page =
hxxp://my.yahoo.com/uSearch Page =
hxxp://www.google.comuSearch Bar =
hxxp://www.google.com/ieuDefault_Search_URL =
hxxp://www.google.com/ieuSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant =
hxxp://www.google.com/ieuSearchURL,(Default) =
hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - f:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - f:\program files\mcafee\virusscan\scriptsn.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] f:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [swg] f:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SmileboxTray] "f:\documents and settings\administrator\application data\smilebox\SmileboxTray.exe"
uRun: [Picasa Media Detector] f:\program files\picasa2\PicasaMediaDetector.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [DW4] "f:\program files\the weather channel fw\desktop weather\DesktopWeather.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "f:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Aim6] "f:\program files\aim6\aim6.exe" /d locale=en-US
ee://aol/imAppuRun: [Uniblue RegistryBooster 2009] f:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] f:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mcagent_exe] "f:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LVCOMSX] "f:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [LogitechCommunicationsManager] "f:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [j2 4.2] "f:\program files\j2 messenger 4.2\J2GDllCmd.exe" /R
mRun: [IgfxTray] f:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] f:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [eFax 4.3] "f:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [AppleSyncNotifier] f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [McENUI] f:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
StartupFolder: f:\documents and settings\administrator\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - f:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\j242~1.lnk - f:\program files\j2 messenger 4.2\J2GTray.exe
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster -
file://f:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia -
file://f:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - f:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: plaxo.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -
hxxp://download.microsoft.com/download/ ... ontrol.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} -
hxxp://download.microsoft.com/download/ ... ontrol.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - f:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
hxxp://fpdownload.macromedia.com/get/fl ... rashim.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cabHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - f:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z1xxhayd.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.my.yahoo.comFF - component: f:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: f:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: f:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: f:\program files\google\picasa3\npPicasa2.dll
FF - plugin: f:\program files\google\picasa3\npPicasa3.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2009-2-2 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2009-2-2 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2009-2-2 107272]
R1 mfehidk;McAfee Inc. mfehidk;f:\windows\system32\drivers\mfehidk.sys [2007-2-6 207656]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298264]
R2 Iprip;RIP Listener;f:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;f:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 206096]
R2 McProxy;McAfee Proxy Service;f:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-1 358736]
R2 McShield;McAfee Real-time Scanner;f:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-6 144704]
R3 McSysmon;McAfee SystemGuards;f:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-6 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;f:\windows\system32\drivers\mfeavfk.sys [2007-2-6 79240]
R3 mfebopk;McAfee Inc. mfebopk;f:\windows\system32\drivers\mfebopk.sys [2007-2-6 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;f:\windows\system32\drivers\mfesmfk.sys [2007-2-6 40488]
S3 mferkdk;McAfee Inc. mferkdk;f:\windows\system32\drivers\mferkdk.sys [2007-2-6 34152]
S3 TMPassthruMP;TMPassthruMP;f:\windows\system32\drivers\tmpassthru.sys --> f:\windows\system32\drivers\TMPassthru.sys [?]
=============== Created Last 30 ================
==================== Find3M ====================
2009-01-22 23:38 25,740,144 a------- F:\wmp11-windowsxp-x86-enu.exe
2009-01-19 00:50 55,876 a---h--- f:\windows\system32\mlfcache.dat
2009-01-05 14:33 3,751,995 a------- f:\windows\system32\GPhotos.scr
2009-01-03 19:49 20,660,760 a------- F:\SafariSetup.exe
2008-12-20 15:15 826,368 a------- f:\windows\system32\wininet.dll
2008-06-16 10:33 61,480 a------- f:\documents and settings\administrator\GoToAssistDownloadHelper.exe
2008-10-27 09:57 16,384 a--sh--- f:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-04 08:25 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat
2008-10-27 09:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat
============= FINISH: 7:52:24.65 ===============
(Here is GMER after I did the scan. I also copied it before scan if you need that - wasn't sure)GMER 1.0.14.14536 -
http://www.gmer.netRootkit scan 2009-02-25 08:22:21
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE3E49CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE3E4A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE3E4978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE3E498C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE3E4A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE3E4AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE3E4B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE3E4AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3E4A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE3E4B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE3E4A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE3E4950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE3E4964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE3E49DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE3E4B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE3E4AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE3E4ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE3E4A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE3E4B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE3E4B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE3E49B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE3E49A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE3E4AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE3E4A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE3E4B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE3E4A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3E49F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EE3E49F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EE3E4A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EE3E4AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EE3E49CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EE3E49A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EE3E4A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EE3E4B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP EE3E4B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EE3E4954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EE3E49E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EE3E4ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EE3E4A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EE3E4A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EE3E4990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EE3E4A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EE3E4968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EE3E4B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EE3E4AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EE3E4AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EE3E4A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EE3E497C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP EE3E49BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP EE3E4B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP EE3E4AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP EE3E4A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP EE3E4B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP EE3E4B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.14 ----
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700B2
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070097
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070086
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FBD
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070044
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700EA
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700CD
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070127
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070116
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0007014C
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007005F
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070011
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070FAC
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070033
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070022
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070105
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006002C
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F94
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060011
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FA5
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006003D
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FB6
.text F:\WINDOWS\system32\services.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00FAF
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0009A
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00FC0
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F0007D
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00051
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F000D5
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F8D
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000FA
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F57
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F0010B
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F00062
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F0001B
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F00F9E
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F00040
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F00FE5
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F00F72
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EF0FB9
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EF0051
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EF000A
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EF0FDE
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EF0040
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EF0FEF
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EF002F
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EF0F9E
.text F:\WINDOWS\system32\lsass.exe[664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40076
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40065
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40054
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40F97
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FCD
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E400A2
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40091
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F2E
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400BD
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E40F13
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E40FB2
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40014
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E40F70
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E40FDE
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40025
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E40F3F
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30FA8
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E30025
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E30FC3
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E30FD4
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30F68
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30FEF
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E30F83
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 03, 89 ]
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E3000A
.text F:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0000
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FE5
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0F88
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF007D
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF006C
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF005B
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FB9
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F50
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F61
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF0F2E
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00C7
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DF00E2
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DF0040
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DF000A
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DF0098
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DF0025
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DF0FD4
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DF0F3F
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DE003D
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DE0FAF
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DE0022
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DE0011
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DE0FC0
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DE0000
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DE0FD1
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FE, 88 ]
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DE0058
.text F:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02510FE5
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02510F63
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02510F88
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02510062
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02510051
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02510FAF
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02510090
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0251007F
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025100C6
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02510F23
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025100D7
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02510036
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02510000
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02510F52
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02510FCA
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0251001B
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025100A1
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02290FD4
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02290040
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02290025
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02290014
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02290F8D
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02290FEF
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02290F9E
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 8A ]
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02290FB9
.text F:\WINDOWS\System32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01460FEF
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 022A0FEF
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 022A0000
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 022A0FCA
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 022A0FAF
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F48
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F63
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F74
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0078003D
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780022
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780084
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780073
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780EF5
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F06
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00780ED0
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00780FA5
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00780000
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00780062
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00780011
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00780FCA
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00780F21
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00770FCA
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00770087
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0077001B
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0077000A
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0077006C
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00770FEF
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0077005B
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00770040
.text F:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01830000
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01830F88
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0183007D
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0183006C
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0183005B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01830FCA
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018300A2
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01830F5A
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018300C4
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01830F35
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 018300DF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01830FAF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0183001B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01830F77
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01830FDB
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01830036
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 018300B3
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0182002C
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01820F91
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0182001B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01820FEF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01820FB6
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01820000
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01820058
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0182003D
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01760000
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60082
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F97
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60071
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FA8
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60040
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F4D
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60093
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F32
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600CB
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C600E6
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C60FC3
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C60FEF
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C60F68
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C60FD4
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C60025
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C600BA
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C4002C
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C40FB6
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C4001B
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C40FE5
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C40073
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C40000
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C40062
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C40047
.text F:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C5000A
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C50025
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C50FE5
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C50036
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F52
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0047
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F6D
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A006E
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F26
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AE
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F15
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EFA
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0036
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0000
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F41
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCA
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0093
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A002C
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0070
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0011
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FDB
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A005F
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A004E
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A003D
.text F:\WINDOWS\system32\dllhost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F94
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60093
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60FB9
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60076
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60040
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60F68
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F79
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60F3C
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600D5
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E60F17
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E6005B
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E6000A
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E600A4
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E60025
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E60FDE
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E60F57
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CB002C
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CB0058
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CB001B
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CB0000
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CB003D
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CB0FEF
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CB0FA5
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EB, 88 ]
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CB0FC0
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CC0FEF
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CC000A
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CC0025
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CC0036
.text F:\WINDOWS\Explorer.EXE[1636] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FE5
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10FEF
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10045
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10F46
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E10F57
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10F72
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10F9E
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10F1A
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10062
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E10EEE
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E10091
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E10ED3
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E10F8D
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E10FD4
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreatePipe 7C81D827 1 Byte [ E9 ]
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreatePipe + 2 7C81D829 3 Bytes [ 36, 5F, 84 ]
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E10FAF
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E10000
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E10F09
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DF0FD1
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DF0F94
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DF0022
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DF0011
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DF0FAF
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DF0000
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DF0047
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DF0FC0
.text F:\Program Files\Messenger\msmsgs.exe[1916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0FEF
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E00000
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E0001B
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E0002C
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E00047
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2304] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F4D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F5E
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F6F
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8002C
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8001B
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F30
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80078
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F04
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B8009D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800AE
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F94
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FD4
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B8005D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FAF
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B8000A
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F1F
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B7002F
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70FA5
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FD4
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FEF
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B7006C
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B70051
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70040
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006E
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F79
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8A
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC0
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0089
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F4D
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00B5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1C
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D0
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0047
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F68
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0036
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FE5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00A4
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0036
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A005B
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A001B
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FEF
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F9E
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002A0FB9
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4A, 88 ]
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FCA
.text F:\WINDOWS\system32\dllhost.exe[4216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250FEF
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0025005B
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250040
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0025002F
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250F72
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250F9E
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0025009A
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250089
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250F15
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250F26
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002500C9
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00250F8D
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00250000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0025006C
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250FC3
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00250FD4
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00250F37
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00350FB9
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00350051
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00350FCA
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00350FE5
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00350F9E
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00350000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00350040
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00350025
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02EE0FEF
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02EE0000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02EE0FC0
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02EE0011
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03400FEF
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.14 ----
You do not have the required permissions to view the files attached to this post.