4. Then I ran GMER. The GMER log is as follows:
***********************************************************************************************************************
GMER 1.0.15.15315 -
http://www.gmer.net
Rootkit scan 2010-10-14 09:30:27
Windows 5.1.2600 Service Pack 3
Running: 75iwy9qtGMER.exe; Driver: C:\DOCUME~1\LELIAO~1\LOCALS~1\Temp\pxtdipow.sys
---- System - GMER 1.0.15 ----
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF8585090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF85850A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF85850D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF8585126]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF858507C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF8585054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF8585068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF85850BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF85850FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF85850E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF8585150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF858513C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF8585110]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP F8585114 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP F8585080 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP F8585094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP F8585058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP F85850EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP F8585140 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP F858512A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP F8585154 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP F858506C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP F85850D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP F85850A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 8059B1F3 5 Bytes JMP F8585100 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP F85850BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? vxotynd.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF8A03760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7524F80]
.reloc C:\WINDOWS\system32\drivers\acedrv11.sys section is executable [0xEEBB3480, 0x306DD, 0xE0000060]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[228] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[228] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\svchost.exe[228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F77
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9006C
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E9005B
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FA8
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900B3
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E900A2
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F35
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F46
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F1A
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E9002F
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90087
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900C4
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80F61
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F72
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E80F8D
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [08, 89]
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FA8
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E7004E
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E7003D
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FD7
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\svchost.exe[228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\svchost.exe[384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F30
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F4B
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F5C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50F79
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50F9E
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B5005D
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50F15
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50ED5
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50EF0
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50089
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B5006E
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B40F9E
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D4, 88] {AAM 0x88}
.text C:\WINDOWS\system32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00010044
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00010029
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00010FDE
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00010FEF
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00010FB9
.text C:\WINDOWS\system32\svchost.exe[384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00010018
.text C:\WINDOWS\system32\svchost.exe[708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01940000
.text C:\WINDOWS\system32\svchost.exe[708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01940022
.text C:\WINDOWS\system32\svchost.exe[708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01940011
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01930000
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01930F59
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01930F74
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0193004E
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01930F91
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01930FB6
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0193007C
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0193006B
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01930EFE
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01930F19
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019300BC
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0193003D
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01930FE5
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01930F34
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01930022
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01930011
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01930097
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0192002F
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01920080
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01920FDE
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01920FEF
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01920065
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01920000
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01920054
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01920FC3
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01910F9E
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 01910029
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01910FDE
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01910FEF
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01910FB9
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0191000C
.text C:\WINDOWS\system32\svchost.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01900FE5
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 018F000A
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 018F001B
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 018F0036
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 018F0047
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D0014
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0F65
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0F80
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0F9B
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0FAC
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C003D
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C00AD
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C009C
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0F40
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C00D9
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C0F25
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0058
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C001B
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C007F
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C002C
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C00BE
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B001B
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F7C
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B0FCA
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F97
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006B0FA8
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0FB9
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006A0042
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 006A0027
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006A0FC1
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006A0016
.text C:\WINDOWS\System32\svchost.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006A0FDE
.text C:\WINDOWS\System32\svchost.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0062
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0051
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0F83
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0040
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FAF
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C0F26
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F37
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0093
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C0EFA
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C00A4
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0F9E
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C0F48
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0FC0
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0011
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C0F0B
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B0FAF
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F68
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B0FD4
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F83
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 3 Bytes JMP 006B0025
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0F9E