Hi

My computer is very slow in starting. It takes for ever. When I run the new IE 8 it waits for several second before showing the little hand over a link. It also takes several seconds to start Microsoft Access which I do frequently. On my older laptop (much slower computer) this goes very quick.

I have made a log with HiJackThis. Can anyone see any problems here?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:43, on 2009-06-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Google\Update\GoogleUpdate.exe
C:\Program\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program\Network Associates\Common Framework\FrameworkService.exe
C:\Program\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Telia\Supportassistent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\QuickTime\QTTask.exe
C:\Program\Network Associates\Common Framework\UdaterUI.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program\Network Associates\Common Framework\McTray.exe
C:\Program\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Media Player\WMPNSCFG.exe
C:\Program\Digital Line Detect\DLG.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Plustek\OpticFilm 7200i\QuickScan.exe
C:\Program\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program\HP\hpcoretech\comp\hptskmgr.exe
C:\Program\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O4 - Global Startup: QuickScan (OpticFilm 7200i).lnk = C:\Program\Plustek\OpticFilm 7200i\QuickScan.exe
O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197449922828
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://eredovisning.plusgirot.se/ddrint/co...printengine.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8e0e320912ea) (gupdate1c8e0e320912ea) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Qdpidblt - Sonic Solutions - (no file)
O23 - Service: SupportSoft Sprocket Service (telia) (sprtsvc_telia) - SupportSoft, Inc. - C:\Program\Telia\Supportassistent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program\Delade filer\SupportSoft\bin\ssrc.exe

--
End of file - 11819 bytes

Mats,

Logs are looking good. Let's see what Kaspersky has to say.

Hi Tomk

I have been using my computer all day and it's slower than ever. Suddenly everything stops and computer kind of hangs for a couple of seconds. Programs that used to start in milliseconds now takes 4-6 seconds to start. I really hope Kapersky can find something curable.

Best regards

Mats

Mats,

Agreed. If I don't come up with anything malware related, I'll send you over to the Tech Team to tweak.

Hi Tomk

sorry but nothing new came up. It seems I failed to remove one of the suspicious object from the last scan but I don't think this is so important since it is in an old email archive from 2000 - 2004 which I don't touch anymore.

Thank you for all your help

Mats

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 08, 2009 15:11:14
Records in database: 2443647
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 451077
Threat name: 1
Infected objects: 0
Suspicious objects: 1
Duration of the scan: 07:16:28


File name / Threat name / Threats count
C:\gamla mail\archive 2000-08 2004-06.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

The selected area was scanned.

Mats,

Well let's see if Dr. Web can Cure it.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Hi Tomk

DrWeb CureIt gives me blue screen when I shall start to scan. I tried two times.

STOP: 0x0000007E (0x0000005, 0xF74589CC, 0xF790EC4C, 0xF790E948)
iastor.sys adress F74589CC bas at F7427000, Datestamp 40608C73

Mats

Mats,

Hmm.. Let's see if there is a hidden Rootkit somewhere.

Please download gmer.zip from Gmer and save it to your desktop.

1. Right click on gmer.zip and select Extract All....
2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
3. Click on the Browse button. Click on Desktop. Then click OK.
4. Click Next. It will start extracting.
5. Once done, check (tick) the Show extracted files box and click Finish.
6. Double click on gmer.exe to run it.
7. Select the Rootkit tab.
8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
9. Select all drives that are connected to your system to be scanned.
10. Click on the Scan button.
11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
12. Open Notepad or a similar text editor.
13. Paste the clipboard contents into the text editor.
14. Save the Gmer scan log and post it in your next reply.

Note: Do not run any programs while Gmer is running.

Hi Tomk

Gmer was running all night long. It finished and I pressed Copy and the log was copied to the clipboard. Then I started Notepad but nothing happened. I tried to press alt-Ctrl-Delete to see what was going on but nothing happened. A dialog came up after a while saying the there were no free resources and the computer hang. I waited 5 minutes but nothing was possible to do so I restarted the computer and ran Gmer whitout scanning of files. The log from this is below. Anything interesting?

One question, I inserted a USB memory stick yesterday morning and it didn't autostart as usual. How can I turn this feature on again?

Best regards

Mats

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-10 08:39:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8EB684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8EB67CB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8EB6875]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8EB67DF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8EB680B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8EB689F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8EB67B7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8EB685F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8EB67F5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8EB6821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8EB6837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8EB68B5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8EB6889]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP A8EB688D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP A8EB67BB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057791D 5 Bytes JMP A8EB67CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP A8EB684F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP A8EB68B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP A8EB68A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP A8EB6863 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8058228C 7 Bytes JMP A8EB6825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP A8EB683B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP A8EB680F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP A8EB67E3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP A8EB6879 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B78 7 Bytes JMP A8EB67F9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F63
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80F88
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80FB6
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8003D
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F41
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80089
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F26
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800BF
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800DA
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F8004E
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F8001B
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F52
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8002C
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\System32\svchost.exe[348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800A4
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F70040
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F70F83
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00F70F94
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [18, 89]
.text C:\WINDOWS\System32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F7001B
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F60064
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F60049
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F6001D
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F6002E
.text C:\WINDOWS\System32\svchost.exe[348] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[348] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00F50FEF
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A80000
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A80FA2
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A80097
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A80086
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A80069
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A8003D
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A80F85
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A800CD
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A8010D
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A80F74
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A80F63
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A8004E
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A80FE5
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A800B2
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A80022
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A80011
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A800E8
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00710039
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 0071008A
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00710FDE
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00710014
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00710079
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00710FEF
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00710FCD
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [92, 88]
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 0071004A
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 0070004C
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!system 77C193C7 5 Bytes JMP 00700FB7
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 0070001D
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00700FEF
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00700FC8
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00700000
.text C:\Program\Network Associates\Common Framework\FrameworkService.exe[400] WS2_32.dll!socket 71AA4211 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01240FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01240060
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0124004F
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01240F75
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01240F86
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01240FA8
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01240F44
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0124008C
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01240F0E
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012400A7
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01240EE9
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01240F97
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0124000A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0124007B
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01240FC3
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01240FD4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01240F29
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 0123002C
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 01230F83
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0123001B
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 01230000
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 01230F94
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 01230FEF
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 01230FA5
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [44, 89]
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 01230FC0
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 01220FA3
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!system 77C193C7 5 Bytes JMP 01220FBE
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 0122001D
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01220FEF
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0122002E
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 0122000C
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F1007D
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10F88
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F10FAF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F1006C
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F100BC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F100AB
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10F48
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F100E1
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F10F37
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F1008E
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F10040
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F10F63
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F00014
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F0005B
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F00040
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EF0FB0
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EF0031
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EF0FD2
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EF0FC1
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EF0FE3
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02490000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02490F77
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02490F92
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0249006C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02490FAF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02490047
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02490F3F
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 02490F5A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [85]
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02490F13
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024900AC
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024900C7
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02490FC0
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0249001B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02490091
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0249002C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02490FDB
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02490F2E
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00FF0058
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00FE003B
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!system 77C193C7 5 Bytes JMP 00FE0FB0
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00FE0FC1
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00FE000C
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F92
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40087
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E4006C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E4005B
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E400B3
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F6B
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F2E
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F3F
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40F13
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FDB
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E400A2
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F50
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00E30040
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00E3006F
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00E30FBC
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00E30FCD
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00E20FBC
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!system 77C193C7 5 Bytes JMP 00E2003D
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00E20022
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00E20FD7
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00E10000
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03130000
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03130F81
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03130F92
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03130076
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0313005B
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0313004A
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031300B3
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031300A2
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031300E6
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031300D5
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03130F32
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03130FB9
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03130FEF
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03130091
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03130FDE
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0313002F
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031300C4
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 03120FDB
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 03120051
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0312002C
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0312001B
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 03120F9E
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 03120000
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 03120FAF
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [33, 8B]
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 03120FC0
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 03110FA1
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!system 77C193C7 5 Bytes JMP 0311002C
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 03110011
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_open 77C1F566 5 Bytes JMP 03110FE3
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 03110FBC
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 03110000
.text C:\WINDOWS\System32\svchost.exe[1112] WS2_32.dll!socket 71AA4211 5 Bytes JMP 03100000
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenA 40C3D6C0 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenW 40C3DB39 5 Bytes JMP 027C000A
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlA 40C3F3D4 5 Bytes JMP 027C001B
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlW 40C86DD7 5 Bytes JMP 027C0FCA
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0000
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F5E
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A005D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0F83
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F94
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0FAF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0089
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0078
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0F15
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0F26
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00BF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F4D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A009A
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00690FB9
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00690047
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00690FD4
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00690036
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00690FE5
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00690F94
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [8A, 88]
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 0069001B
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!system 77C193C7 5 Bytes JMP 00680044
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00680029
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00680FD4
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 0068000C
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00810000
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00810F83
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810082
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810F9E
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0081005B
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00810FC3
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00810F41
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00810F5C
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00810F1C
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008100BF
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008100D0
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0081004A
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00810FE5
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00810093
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00810025
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00810FD4
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008100AE
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00800FB9
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00800F86
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00800FD4
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00800F97
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00800FE5
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 0080002F
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00800FA8
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 007F0FA6
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C193C7 5 Bytes JMP 007F0031
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C1F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AA4211 5 Bytes JMP 007E0000
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0FE5
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0F81
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0076
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0FA8
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0FB9
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0047
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0F44
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0F5F
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0F11
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0F22
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE0F00
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0FCA
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0000
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F70
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0036
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE001B
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F33
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00ED0FDB
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00ED0F94
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00ED002C
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00ED001B
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00ED0FA5
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00ED0000
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00ED0FB6
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [0E, 89]
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00ED003D
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EC0FC8
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EC0FD9
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EC002E
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EC0000
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EC0049
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EC001D
.text C:\Program\Network Associates\Common Framework\naPrdMgr.exe[1364] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80065
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E8004A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E8002F
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E8001E
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80F8D
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E8008A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F44
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80EF1
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F0C
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E800A5
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80F7C
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80F55
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80F9E
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80F27
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00E70040
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00E70F94
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00E7005B
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!system 77C193C7 5 Bytes JMP 00E60022
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00E60FCD
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00E60FBC
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1408] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F54
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F6F
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF003D
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F80
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F17
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F28
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EEB
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0EFC
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0095
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF002C
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F39
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF007A
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00980040
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00980062
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00980FEF
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0098001B
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00980FA5
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00980000
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00980FCA
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [B9, 88]
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00980051
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00970070
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!system 77C193C7 5 Bytes JMP 0097005F
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00970FE5
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00970000
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0097003A
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00970029
.text C:\WINDOWS\System32\svchost.exe[1652] WININET.dll!InternetOpenA 40C3D6C0 5 Bytes JMP 00950FE5
.text C:\WINDOWS\System32\svchost.exe[1652] WININET.dll!InternetOpenW 40C3DB39 5 Bytes JMP 00950000
.text C:\WINDOWS\System32\svchost.exe[1652] WININET.dll!InternetOpenUrlA 40C3F3D4 5 Bytes JMP 00950011
.text C:\WINDOWS\System32\svchost.exe[1652] WININET.dll!InternetOpenUrlW 40C86DD7 5 Bytes JMP 0095002C
.text C:\WINDOWS\System32\svchost.exe[1652] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00960FEF
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0000
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB008E
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB007D
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB006C
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB0F46
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0F63
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB00DF
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB00C4
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB00FA
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB005B
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB001B
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F74
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0040
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00B3
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00EA0025
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00EA0F9E
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00EA0040
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00E10053
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!system 77C193C7 5 Bytes JMP 00E10FD2
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00E1001D
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00E10000
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00E10042
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00E10FE3
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenA 40C3D6C0 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenW 40C3DB39 5 Bytes JMP 00C90014
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlA 40C3F3D4 5 Bytes JMP 00C90025
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlW 40C86DD7 5 Bytes JMP 00C90036
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!socket 71AA4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\SearchIndexer.exe[2564] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F77
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF006C
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F92
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF005B
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F41
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0087
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F1C
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00B5
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00D0
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0040
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F5C
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF001B
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[2644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00A4
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00CE0F4D
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00CE0F72
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00CE0F83
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00CE0F9E
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CD0FCF
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CD005A
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CD0038
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CD0049
.text C:\WINDOWS\System32\svchost.exe[2644] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CD001D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A84C3D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Mats,

I'm just not seeing the issue. I think it's time you posted over in the Windows forum and see if the Tech Team can find the problem. When you do that, please provide a link there back to this thread so that they will have access to your logs here.

Meanwhile, Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

OK

thank you very mych for all help!

I last question, is it good to run TFC once in a while to remove tempfiles?

I will soon go on vacation so I will contact Tech team after holidays.

Happy summer

Mats

Mats,

I'd suggest that you run TFC once a month and follow with a Malwarebytes scan (updated of course) just to keep things running smoothly.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.