1 2 Previous Next 10 Replies Latest reply on Apr 18, 2012 7:36 PM by Peter M

    Help with interpreting GMER log

      I'm hoping someone can help me interpret these results from GMER.  McAfee and Malwarebytes find absolutely ZERO on the system but all of the JMPs in this concern me.  Is this something McAfee is doing, or is there an infection that's hiding itself very well from McAfee and MBAM?

       

       

       

      GMER 1.0.15.15641 - http://www.gmer.net

      Rootkit scan 2012-04-14 22:27:29

      Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6E040L0 rev.NAR61590

      Running: wkgf3h1p.exe; Driver: C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\kwayqpod.sys

       

       

      ---- System - GMER 1.0.15 ----

       

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwCreateKey [0xF74874C0]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwDeleteKey [0xF74874D4]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwDeleteValueKey [0xF7487500]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwMapViewOfSection [0xF7487556]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwOpenKey [0xF74874AC]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwOpenProcess [0xF7487484]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwOpenThread [0xF7487498]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwRenameKey [0xF74874EA]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwSetSecurityObject [0xF748752C]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwSetValueKey [0xF7487516]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwTerminateProcess [0xF7487580]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwUnmapViewOfSection [0xF748756C]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         ZwYieldExecution [0xF7487540]

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         NtMapViewOfSection

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         NtOpenProcess

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         NtOpenThread

      Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                                                         NtSetSecurityObject

       

      ---- Kernel code sections - GMER 1.0.15 ----

       

      .text           ntoskrnl.exe!ZwYieldExecution                                                                                                         804F0EB6 7 Bytes  JMP F7487544 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwOpenKey                                                                                                                80568F68 5 Bytes  JMP F74874B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwCreateKey                                                                                                              8057376F 5 Bytes  JMP F74874C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!NtOpenProcess                                                                                                            80574AA9 5 Bytes  JMP F7487488 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwUnmapViewOfSection                                                                                                     8057A81E 5 Bytes  JMP F7487570 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!NtMapViewOfSection                                                                                                       8057AC99 7 Bytes  JMP F748755A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwSetValueKey                                                                                                            8057BC5B 7 Bytes  JMP F748751A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwTerminateProcess                                                                                                       805839B9 5 Bytes  JMP F7487584 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!NtOpenThread                                                                                                             8059323B 5 Bytes  JMP F748749C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwDeleteValueKey                                                                                                         80595C1A 7 Bytes  JMP F7487504 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwDeleteKey                                                                                                              80597FFA 7 Bytes  JMP F74874D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!NtSetSecurityObject                                                                                                      8059D2BD 5 Bytes  JMP F7487530 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      PAGE            ntoskrnl.exe!ZwRenameKey                                                                                                              8064F526 7 Bytes  JMP F74874EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

       

      ---- User code sections - GMER 1.0.15 ----

       

      .text           C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtCreateFile                                                                           7C90D0AE 5 Bytes  JMP 00900FEF

      .text           C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtCreateProcess                                                                        7C90D14E 5 Bytes  JMP 0090002F

      .text           C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtProtectVirtualMemory                                                                 7C90D6EE 5 Bytes  JMP 0090000A

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateFileA                                                                         7C801A28 5 Bytes  JMP 00BC0FEF

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!VirtualProtectEx                                                                    7C801A61 5 Bytes  JMP 00BC0F5E

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!VirtualProtect                                                                      7C801AD4 5 Bytes  JMP 00BC005D

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!LoadLibraryExW                                                                      7C801AF5 5 Bytes  JMP 00BC0F83

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!LoadLibraryExA                                                                      7C801D53 5 Bytes  JMP 00BC0F94

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!LoadLibraryA                                                                        7C801D7B 5 Bytes  JMP 00BC002C

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!GetStartupInfoW                                                                     7C801E54 5 Bytes  JMP 00BC0090

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!GetStartupInfoA                                                                     7C801EF2 5 Bytes  JMP 00BC007F

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateProcessW                                                                      7C802336 5 Bytes  JMP 00BC00D7

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateProcessA                                                                      7C80236B 5 Bytes  JMP 00BC00BC

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!GetProcAddress                                                                      7C80AE40 5 Bytes  JMP 00BC00F2

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!LoadLibraryW                                                                        7C80AEEB 5 Bytes  JMP 00BC0FAF

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateFileW                                                                         7C810800 5 Bytes  JMP 00BC0000

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreatePipe                                                                          7C81D83F 5 Bytes  JMP 00BC006E

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateNamedPipeW                                                                    7C82F0DD 5 Bytes  JMP 00BC0FC0

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateNamedPipeA                                                                    7C860CDC 5 Bytes  JMP 00BC0011

      .text           C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!WinExec                                                                             7C86250D 5 Bytes  JMP 00BC00AB

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW                                                                       77DD6AAF 5 Bytes  JMP 00BB0FDE

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW                                                                     77DD776C 5 Bytes  JMP 00BB0065

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA                                                                       77DD7852 5 Bytes  JMP 00BB0025

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW                                                                         77DD7946 5 Bytes  JMP 00BB0FEF

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA                                                                     77DDE9F4 5 Bytes  JMP 00BB0054

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA                                                                         77DDEFC8 5 Bytes  JMP 00BB0000

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW                                                                       77DFBA55 2 Bytes  JMP 00BB0FB2

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW + 3                                                                  77DFBA58 2 Bytes  [DB, 88]

      .text           C:\WINDOWS\System32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA                                                                       77DFBCF3 5 Bytes  JMP 00BB0FCD

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!_wsystem                                                                              77C2931E 5 Bytes  JMP 0093000A

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!system                                                                                77C293C7 5 Bytes  JMP 00930F7F

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!_creat                                                                                77C2D40F 5 Bytes  JMP 00930FB5

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!_open                                                                                 77C2F566 5 Bytes  JMP 00930FEF

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!_wcreat                                                                               77C2FC9B 5 Bytes  JMP 00930F9A

      .text           C:\WINDOWS\System32\svchost.exe[752] msvcrt.dll!_wopen                                                                                77C30055 5 Bytes  JMP 00930FC6

      .text           C:\WINDOWS\System32\svchost.exe[752] WININET.dll!InternetOpenA                                                                        3D95D6A8 5 Bytes  JMP 00910FE5

      .text           C:\WINDOWS\System32\svchost.exe[752] WININET.dll!InternetOpenW                                                                        3D95DB21 5 Bytes  JMP 00910FD4

      .text           C:\WINDOWS\System32\svchost.exe[752] WININET.dll!InternetOpenUrlA                                                                     3D95F3BC 5 Bytes  JMP 00910FC3

      .text           C:\WINDOWS\System32\svchost.exe[752] WININET.dll!InternetOpenUrlW                                                                     3D9A6DFF 5 Bytes  JMP 0091001E

      .text           C:\WINDOWS\System32\svchost.exe[752] WS2_32.dll!socket                                                                                71AB4211 5 Bytes  JMP 0092000A

      .text           C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 011A0FEF

      .text           C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 011A0FD4

      .text           C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 011A000A

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 011E000A

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 011E0F44

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 011E0039

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 011E0F6B

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 011E0F7C

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 011E0FA8

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 011E006A

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 011E0F22

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 011E00A0

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 011E0F07

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 011E00BB

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 011E0F97

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 011E0FE5

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 011E0F33

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 011E0FC3

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 011E0FD4

      .text           C:\WINDOWS\system32\services.exe[852] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 011E007B

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 011D0036

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 011D0F9E

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 011D0025

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 011D000A

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 011D0FB9

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 011D0FEF

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 2 Bytes  JMP 011D0FD4

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyW + 3                                                                 77DFBA58 2 Bytes  [3D, 89]

      .text           C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 011D0051

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 011C0F9C

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 011C0FB7

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 011C001D

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 011C0FEF

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 011C0FC8

      .text           C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 011C000C

      .text           C:\WINDOWS\system32\services.exe[852] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 011B0000

      .text           C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtCreateFile                                                                             7C90D0AE 5 Bytes  JMP 00BE0000

      .text           C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtCreateProcess                                                                          7C90D14E 5 Bytes  JMP 00BE0025

      .text           C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtProtectVirtualMemory                                                                   7C90D6EE 5 Bytes  JMP 00BE0FEF

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileA                                                                           7C801A28 5 Bytes  JMP 00BB0000

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtectEx                                                                      7C801A61 5 Bytes  JMP 00BB0F41

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtect                                                                        7C801AD4 5 Bytes  JMP 00BB0F52

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExW                                                                        7C801AF5 5 Bytes  JMP 00BB0F79

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExA                                                                        7C801D53 5 Bytes  JMP 00BB0F94

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryA                                                                          7C801D7B 5 Bytes  JMP 00BB0FC0

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoW                                                                       7C801E54 5 Bytes  JMP 00BB006E

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoA                                                                       7C801EF2 5 Bytes  JMP 00BB0F26

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessW                                                                        7C802336 5 Bytes  JMP 00BB0093

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessA                                                                        7C80236B 5 Bytes  JMP 00BB0F04

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetProcAddress                                                                        7C80AE40 5 Bytes  JMP 00BB0EDF

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryW                                                                          7C80AEEB 5 Bytes  JMP 00BB0FA5

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileW                                                                           7C810800 5 Bytes  JMP 00BB0FE5

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreatePipe                                                                            7C81D83F 5 Bytes  JMP 00BB0047

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeW                                                                      7C82F0DD 5 Bytes  JMP 00BB002C

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeA                                                                      7C860CDC 5 Bytes  JMP 00BB001B

      .text           C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WinExec                                                                               7C86250D 5 Bytes  JMP 00BB0F15

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExW                                                                         77DD6AAF 5 Bytes  JMP 00BA0FB9

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExW                                                                       77DD776C 5 Bytes  JMP 00BA0F94

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExA                                                                         77DD7852 5 Bytes  JMP 00BA0FCA

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyW                                                                           77DD7946 5 Bytes  JMP 00BA0000

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExA                                                                       77DDE9F4 5 Bytes  JMP 00BA0047

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyA                                                                           77DDEFC8 5 Bytes  JMP 00BA0FEF

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyW                                                                         77DFBA55 5 Bytes  JMP 00BA0036

      .text           C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyA                                                                         77DFBCF3 5 Bytes  JMP 00BA0025

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wsystem                                                                                77C2931E 5 Bytes  JMP 00B90F9C

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!system                                                                                  77C293C7 5 Bytes  JMP 00B90027

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_creat                                                                                  77C2D40F 5 Bytes  JMP 00B90FB7

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_open                                                                                   77C2F566 5 Bytes  JMP 00B90FE3

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wcreat                                                                                 77C2FC9B 5 Bytes  JMP 00B9000C

      .text           C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wopen                                                                                  77C30055 5 Bytes  JMP 00B90FD2

      .text           C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!socket                                                                                  71AB4211 5 Bytes  JMP 00B80FEF

      .text           C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[912] kernel32.dll!LoadLibraryA                                           7C801D7B 5 Bytes  JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

      .text           C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[912] kernel32.dll!LoadLibraryW                                           7C80AEEB 5 Bytes  JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

      .text           C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 00B70000

      .text           C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 00B7002C

      .text           C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 00B7001B

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 00BB0FEF

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 00BB0087

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 00BB0076

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 00BB0065

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 00BB0FA8

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 00BB0FC3

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 00BB0F35

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 00BB0F5C

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 00BB00B3

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 00BB00A2

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 00BB0EFF

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 00BB004A

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 00BB0014

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 00BB0F6D

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 00BB0FDE

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 00BB0025

      .text           C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 00BB0F1A

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 00BA0FDB

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 00BA0084

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 00BA002C

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 00BA0011

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 00BA0069

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 00BA0000

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 5 Bytes  JMP 00BA0058

      .text           C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 00BA0047

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 00B90FCA

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 00B9005F

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 00B90029

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 00B90000

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 00B9003A

      .text           C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 00B90FEF

      .text           C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 00B80FEF

      .text           C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 00CF0FEF

      .text           C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 00CF000A

      .text           C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 00CF0FD4

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 00D30FEF

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 00D30F74

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 00D30069

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 00D30058

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 00D30047

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 00D30FA5

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 00D300B2

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 00D30095

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 00D30F34

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 00D300CD

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 00D30F19

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 00D30036

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 00D3000A

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 00D30084

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 00D30FC0

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 00D3001B

      .text           C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 00D30F4F

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 00D2002F

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 00D2006C

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 00D20FD4

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 00D20FE5

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 00D2005B

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 00D20000

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 2 Bytes  JMP 00D20FB9

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3                                                                 77DFBA58 2 Bytes  [F2, 88]

      .text           C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 00D20040

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 00D10F7F

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 00D10014

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 00D10FB5

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 00D10FEF

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 00D10FA4

      .text           C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 00D10FD2

      .text           C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 00D0000A

      .text           C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 026F000A

      .text           C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 026F0025

      .text           C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 026F0FE5

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 027B0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 027B0F59

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 027B0058

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 027B0F8A

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 027B0047

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 027B0FAF

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 027B0F21

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 027B0F32

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 027B0EFF

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 027B0098

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 027B00BD

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 027B0036

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 027B0000

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 027B0069

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 027B0025

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 027B0FCA

      .text           C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 027B0F10

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 027A002C

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 027A0F94

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 027A0011

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 027A0000

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 027A0FA5

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 027A0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 5 Bytes  JMP 027A0047

      .text           C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 027A0FC0

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 02790FB7

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 02790042

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 02790FC8

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 0279000C

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 0279001D

      .text           C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 02790FEF

      .text           C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 02700000

      .text           C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA                                                                       3D95D6A8 5 Bytes  JMP 026E000A

      .text           C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW                                                                       3D95DB21 5 Bytes  JMP 026E001B

      .text           C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA                                                                    3D95F3BC 5 Bytes  JMP 026E002C

      .text           C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW                                                                    3D9A6DFF 5 Bytes  JMP 026E0FDB

      .text           C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 00740FEF

      .text           C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 00740014

      .text           C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 00740FDE

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 00780FE5

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 00780F88

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 00780087

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 0078006C

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 00780FB9

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 00780040

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 00780F52

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 007800A4

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 00780F2D

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 007800C6

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 00780F08

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 00780051

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 0078000A

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 00780F77

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 0078001B

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 00780FCA

      .text           C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 007800B5

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 00770FCA

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 0077005B

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 00770025

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 00770FE5

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 00770F9E

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 00770000

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 2 Bytes  JMP 00770FAF

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3                                                                 77DFBA58 2 Bytes  [97, 88]

      .text           C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 00770036

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 00760FCD

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 00760FDE

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 00760033

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 0076000C

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 00760044

      .text           C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 00760FEF

      .text           C:\WINDOWS\System32\svchost.exe[1248] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 0075000A

      .text           C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 00990FEF

      .text           C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 00990FDE

      .text           C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 00990014

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 009D0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 009D007D

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 009D006C

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 009D005B

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 009D0F9E

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 009D0FB9

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 009D00AE

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 009D0F66

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 009D00F8

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 009D0F55

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 009D0109

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 009D0040

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 009D0FDE

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 009D0F77

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 009D0025

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 009D0014

      .text           C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 009D00D3

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 009C0FB9

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 009C0F94

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 009C0FD4

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 009C000A

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 009C0051

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 009C0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 5 Bytes  JMP 009C0036

      .text           C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 009C0025

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 009B004E

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 009B0FC3

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 009B0033

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 009B000C

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 009B0FD4

      .text           C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 009B0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1348] WS2_32.dll!socket                                                                               71AB4211 5 Bytes  JMP 009A0FEF

      .text           C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtCreateFile                                                                          7C90D0AE 5 Bytes  JMP 00A20000

      .text           C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtCreateProcess                                                                       7C90D14E 5 Bytes  JMP 00A2001B

      .text           C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtProtectVirtualMemory                                                                7C90D6EE 5 Bytes  JMP 00A20FEF

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateFileA                                                                        7C801A28 5 Bytes  JMP 00A50FE5

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!VirtualProtectEx                                                                   7C801A61 5 Bytes  JMP 00A50080

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!VirtualProtect                                                                     7C801AD4 5 Bytes  JMP 00A50F8B

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryExW                                                                     7C801AF5 5 Bytes  JMP 00A50065

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryExA                                                                     7C801D53 5 Bytes  JMP 00A50054

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryA                                                                       7C801D7B 5 Bytes  JMP 00A50FA8

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetStartupInfoW                                                                    7C801E54 5 Bytes  JMP 00A500B8

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetStartupInfoA                                                                    7C801EF2 5 Bytes  JMP 00A5009B

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateProcessW                                                                     7C802336 5 Bytes  JMP 00A50F33

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateProcessA                                                                     7C80236B 5 Bytes  JMP 00A50F44

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetProcAddress                                                                     7C80AE40 5 Bytes  JMP 00A500E7

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryW                                                                       7C80AEEB 5 Bytes  JMP 00A50039

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateFileW                                                                        7C810800 5 Bytes  JMP 00A50000

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreatePipe                                                                         7C81D83F 5 Bytes  JMP 00A50F70

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateNamedPipeW                                                                   7C82F0DD 5 Bytes  JMP 00A50FC3

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateNamedPipeA                                                                   7C860CDC 5 Bytes  JMP 00A50FD4

      .text           C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!WinExec                                                                            7C86250D 5 Bytes  JMP 00A50F5F

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExW                                                                      77DD6AAF 5 Bytes  JMP 00A40FCA

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExW                                                                    77DD776C 5 Bytes  JMP 00A4007D

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExA                                                                      77DD7852 5 Bytes  JMP 00A4001B

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyW                                                                        77DD7946 5 Bytes  JMP 00A40FE5

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExA                                                                    77DDE9F4 5 Bytes  JMP 00A40062

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyA                                                                        77DDEFC8 5 Bytes  JMP 00A40000

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW                                                                      77DFBA55 5 Bytes  JMP 00A40047

      .text           C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyA                                                                      77DFBCF3 5 Bytes  JMP 00A40036

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wsystem                                                                             77C2931E 5 Bytes  JMP 00A30042

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!system                                                                               77C293C7 5 Bytes  JMP 00A30FB7

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_creat                                                                               77C2D40F 5 Bytes  JMP 00A3000C

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_open                                                                                77C2F566 5 Bytes  JMP 00A30FEF

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wcreat                                                                              77C2FC9B 5 Bytes  JMP 00A30027

      .text           C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wopen                                                                               77C30055 5 Bytes  JMP 00A30FD2

      .text           C:\WINDOWS\Explorer.EXE[1768] ntdll.dll!NtCreateFile                                                                                  7C90D0AE 5 Bytes  JMP 01590FE5

      .text           C:\WINDOWS\Explorer.EXE[1768] ntdll.dll!NtCreateProcess                                                                               7C90D14E 5 Bytes  JMP 01590FC3

      .text           C:\WINDOWS\Explorer.EXE[1768] ntdll.dll!NtProtectVirtualMemory                                                                        7C90D6EE 5 Bytes  JMP 01590FD4

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateFileA                                                                                7C801A28 5 Bytes  JMP 02C60FEF

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!VirtualProtectEx                                                                           7C801A61 5 Bytes  JMP 02C60F7A

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!VirtualProtect                                                                             7C801AD4 5 Bytes  JMP 02C60F8B

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryExW                                                                             7C801AF5 5 Bytes  JMP 02C60065

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryExA                                                                             7C801D53 5 Bytes  JMP 02C60FB2

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryA                                                                               7C801D7B 5 Bytes  JMP 02C60FCD

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetStartupInfoW                                                                            7C801E54 5 Bytes  JMP 02C60094

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetStartupInfoA                                                                            7C801EF2 5 Bytes  JMP 02C60F4E

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessW                                                                             7C802336 5 Bytes  JMP 02C60F27

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessA                                                                             7C80236B 5 Bytes  JMP 02C600C0

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetProcAddress                                                                             7C80AE40 5 Bytes  JMP 02C60F16

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryW                                                                               7C80AEEB 5 Bytes  JMP 02C60054

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateFileW                                                                                7C810800 5 Bytes  JMP 02C60014

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreatePipe                                                                                 7C81D83F 5 Bytes  JMP 02C60F69

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateNamedPipeW                                                                           7C82F0DD 5 Bytes  JMP 02C60FDE

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateNamedPipeA                                                                           7C860CDC 5 Bytes  JMP 02C60025

      .text           C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!WinExec                                                                                    7C86250D 5 Bytes  JMP 02C600A5

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyExW                                                                              77DD6AAF 5 Bytes  JMP 02C50FAF

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyExW                                                                            77DD776C 5 Bytes  JMP 02C50F43

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyExA                                                                              77DD7852 5 Bytes  JMP 02C5000A

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyW                                                                                77DD7946 5 Bytes  JMP 02C50FCA

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyExA                                                                            77DDE9F4 5 Bytes  JMP 02C50F68

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyA                                                                                77DDEFC8 5 Bytes  JMP 02C50FE5

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyW                                                                              77DFBA55 2 Bytes  JMP 02C50F83

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyW + 3                                                                         77DFBA58 2 Bytes  [E5, 8A] {IN EAX, 0x8a}

      .text           C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyA                                                                              77DFBCF3 5 Bytes  JMP 02C50F9E

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wsystem                                                                                     77C2931E 5 Bytes  JMP 02B90036

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!system                                                                                       77C293C7 5 Bytes  JMP 02B9001B

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_creat                                                                                       77C2D40F 5 Bytes  JMP 02B90000

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_open                                                                                        77C2F566 5 Bytes  JMP 02B90FEF

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wcreat                                                                                      77C2FC9B 5 Bytes  JMP 02B90FB5

      .text           C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wopen                                                                                       77C30055 5 Bytes  JMP 02B90FD2

      .text           C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenA                                                                               3D95D6A8 5 Bytes  JMP 02B50FEF

      .text           C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenW                                                                               3D95DB21 5 Bytes  JMP 02B5000A

      .text           C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenUrlA                                                                            3D95F3BC 5 Bytes  JMP 02B5001B

      .text           C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenUrlW                                                                            3D9A6DFF 5 Bytes  JMP 02B5002C

      .text           C:\WINDOWS\Explorer.EXE[1768] SHELL32.dll!StrStrW                                                                                     7C9CEE90 8 Bytes  [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP}

      .text           C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!socket                                                                                       71AB4211 5 Bytes  JMP 02B60FEF

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ntdll.dll!NtCreateFile                                                                    7C90D0AE 5 Bytes  JMP 00E20FEF

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ntdll.dll!NtCreateProcess                                                                 7C90D14E 5 Bytes  JMP 00E2000A

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ntdll.dll!NtProtectVirtualMemory                                                          7C90D6EE 5 Bytes  JMP 00E20FD4

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateFileA                                                                  7C801A28 5 Bytes  JMP 00E7000A

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!VirtualProtectEx                                                             7C801A61 5 Bytes  JMP 00E700A2

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!VirtualProtect                                                               7C801AD4 5 Bytes  JMP 00E70087

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!LoadLibraryExW                                                               7C801AF5 5 Bytes  JMP 00E70076

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!LoadLibraryExA                                                               7C801D53 5 Bytes  JMP 00E70FB9

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!LoadLibraryA                                                                 7C801D7B 5 Bytes  JMP 00E70FE5

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!GetStartupInfoW                                                              7C801E54 5 Bytes  JMP 00E70F5C

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!GetStartupInfoA                                                              7C801EF2 5 Bytes  JMP 00E70F77

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateProcessW                                                               7C802336 5 Bytes  JMP 00E700EB

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateProcessA                                                               7C80236B 5 Bytes  JMP 00E700DA

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!GetProcAddress                                                               7C80AE40 5 Bytes  JMP 00E70F37

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!LoadLibraryW                                                                 7C80AEEB 5 Bytes  JMP 00E70FD4

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateFileW                                                                  7C810800 5 Bytes  JMP 00E70025

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreatePipe                                                                   7C81D83F 5 Bytes  JMP 00E70F92

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateNamedPipeW                                                             7C82F0DD 5 Bytes  JMP 00E7005B

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!CreateNamedPipeA                                                             7C860CDC 5 Bytes  JMP 00E70036

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] kernel32.dll!WinExec                                                                      7C86250D 5 Bytes  JMP 00E700BF

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!_wsystem                                                                       77C2931E 5 Bytes  JMP 00E50058

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!system                                                                         77C293C7 5 Bytes  JMP 00E5003D

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!_creat                                                                         77C2D40F 5 Bytes  JMP 00E50022

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!_open                                                                          77C2F566 5 Bytes  JMP 00E50000

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!_wcreat                                                                        77C2FC9B 5 Bytes  JMP 00E50FCD

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] msvcrt.dll!_wopen                                                                         77C30055 5 Bytes  JMP 00E50011

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegOpenKeyExW                                                                77DD6AAF 5 Bytes  JMP 00E60FCA

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegCreateKeyExW                                                              77DD776C 5 Bytes  JMP 00E60051

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegOpenKeyExA                                                                77DD7852 5 Bytes  JMP 00E60FE5

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegOpenKeyW                                                                  77DD7946 5 Bytes  JMP 00E6001B

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegCreateKeyExA                                                              77DDE9F4 5 Bytes  JMP 00E60F9E

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegOpenKeyA                                                                  77DDEFC8 5 Bytes  JMP 00E6000A

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegCreateKeyW                                                                77DFBA55 5 Bytes  JMP 00E60040

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] ADVAPI32.dll!RegCreateKeyA                                                                77DFBCF3 5 Bytes  JMP 00E60FB9

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] WS2_32.dll!socket                                                                         71AB4211 5 Bytes  JMP 00E40FEF

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] WININET.dll!InternetOpenA                                                                 3D95D6A8 5 Bytes  JMP 00E30FEF

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] WININET.dll!InternetOpenW                                                                 3D95DB21 5 Bytes  JMP 00E30FD4

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] WININET.dll!InternetOpenUrlA                                                              3D95F3BC 5 Bytes  JMP 00E30FC3

      .text           C:\Program Files\Messenger\MSMSGS.EXE[2036] WININET.dll!InternetOpenUrlW                                                              3D9A6DFF 5 Bytes  JMP 00E30014

       

      ---- User IAT/EAT - GMER 1.0.15 ----

       

      IAT             C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1244] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW]  [0040A4B0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

      IAT             C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA]      [0040A510] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

       

      ---- Devices - GMER 1.0.15 ----

       

      AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

      AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                              mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

      AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                             mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

      AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                             mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

      AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                           mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

       

      ---- EOF - GMER 1.0.15 ----

        1 2 Previous Next