Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect


  • Please log in to reply
20 replies to this topic

#1 scotthk

scotthk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 March 2009 - 08:02 AM

I am having this exact same problem. I Googled "search engine redirect 209.85.171.9" and this was the only hit. I have run so many virus scan programs I've lost count. But I have not used SDFix. I will try that now. But here is my mbam log as of the latest scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1824
Windows 5.1.2600 Service Pack 3

3/6/2009 8:33:35 AM
mbam-log-2009-03-06 (08-33-35).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 334022
Time elapsed: 2 hour(s), 12 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 07 March 2009 - 08:48 AM

Thanks let us know what it finds :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 March 2009 - 09:37 AM

I'd be happy to except I can't get it to work.

I finally managed to download and open the file (after disabling McAfee, which kept zapping it). Then I rebooted into safe mode, clicked on the Start button, clicked on Run, typed C:\SDFix\RunThis.bat into the open field, clicked OK and. . . I got a message saying "Windows is running in safe mode. This special diagnostic mode of windows enables you to fix a problem . . ."
the same message I got when I re-booted into safe mode in the first place.

SDFix isn't running. Any thoughts?

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 07 March 2009 - 10:22 AM

Let's go with an on-line scan and then we can revisit sdfix.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 March 2009 - 04:09 PM

Sorry it took so long (and thanks for your help as well). Here are the results from the online scan:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3917 (20090307)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=087836ece8d1af41b15c621d1537928b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-07 06:53:43
# local_time=2009-03-07 01:53:43 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=641707
# found=0
# scan_time=11143

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 07 March 2009 - 09:10 PM

No problem with time :thumbsup:

Are you using Firefox for your browser?
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 March 2009 - 09:54 AM

Here is the log from SUPER AntiSpyWare:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/08/2009 at 09:48 AM

Application Version : 4.25.1014

Core Rules Database Version : 3788
Trace Rules Database Version: 1745

Scan type : Complete Scan
Total Scan Time : 02:05:00

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 6107
Registry threats detected : 0
File items scanned : 241633
File threats detected : 0


None of the scans have turned up anything. And surfing appears to be slowing down. AND, I've noticed the re-directs are happening not just on consumer search items. So it is a broader issue than what I first reported.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 08 March 2009 - 07:23 PM

Are you using Firefox for your browser?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 March 2009 - 07:36 AM

Sorry. Yes. And no. I am using both IE and Firefox. Both show the same symptoms.

Also, I checked Yahoo! and have the same issue there but it redirects to a different IP address.

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 09 March 2009 - 12:02 PM

Our next step:

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 March 2009 - 06:53 PM

I think we may be on to something here. I got a warning about Rootkit issues. No clue what to do, but I presume that's where you come in :thumbsup:

Anyway, here's the (lengthy) log:

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-09 19:49:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAADF39AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAADF3A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAADF3958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAADF396C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAADF3A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAADF3A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAADF3AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAADF3AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAADF39EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAADF3B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAADF3A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAADF3930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAADF3944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAADF39BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAADF3B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAADF3AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAADF3AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAADF3A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAADF3B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAADF3B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAADF3996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAADF3982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAADF3A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAADF3A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAADF3B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAADF3A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAADF39D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP AADF39D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP AADF39AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP AADF39EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP AADF3A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP AADF39C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP AADF3934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP AADF3948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP AADF3986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP AADF3970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP AADF395C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP AADF399A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP AADF3A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061854A 7 Bytes JMP AADF3AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80618898 7 Bytes JMP AADF3A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BC2 7 Bytes JMP AADF3B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619460 7 Bytes JMP AADF3AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D34 7 Bytes JMP AADF3A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A312 5 Bytes JMP AADF3A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7A2 7 Bytes JMP AADF3A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A972 7 Bytes JMP AADF3A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP AADF3AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADBC 7 Bytes JMP AADF3ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP AADF3A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA0A 7 Bytes JMP AADF3B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCCA 5 Bytes JMP AADF3B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3BE 5 Bytes JMP AADF3B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4D8 5 Bytes JMP AADF3B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100331F8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10033140
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10032BA4
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10032404
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10032388
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[284] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100330F4
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F66
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F8B
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F9C
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC005B
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0040
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F29
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F3A
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC008C
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0EF3
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0EE2
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC0F55
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC002F
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F0E
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FA0FCA
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FA0F65
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FA001B
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FA0000
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FA0F80
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FA002C
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FA0FA5
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0F97
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FBC
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E002C
.text C:\WINDOWS\System32\svchost.exe[400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[400] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[400] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\System32\svchost.exe[400] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00FB000A
.text C:\WINDOWS\System32\svchost.exe[400] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\System32\svchost.exe[400] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01220F77
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01220F92
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0122006C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01220051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01220025
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01220091
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01220F55
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012200C7
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012200B6
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01220F13
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01220036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01220FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01220F66
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01220FAF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01220FD4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01220F38
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01200FD2
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!system 77C293C7 5 Bytes JMP 01200FE3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01200038
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01200000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01200053
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0120001D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01210FCD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01210FA1
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01210FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0121000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01210FBC
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01210FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0121005E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01210039
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011F0000
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[620] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\winlogon.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\winlogon.exe[1084] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\winlogon.exe[1084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\winlogon.exe[1084] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\winlogon.exe[1084] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\winlogon.exe[1084] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC007A
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0069
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0058
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0047
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FB6
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F59
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F74
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F23
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F3E
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0F12
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0FA5
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC009F
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0022
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FDB
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC00BC
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FB007D
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FB006C
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0031
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0016
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FC1
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FA6
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FD2
.text C:\WINDOWS\system32\services.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F46
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F5003B
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F61
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F72
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50073
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F2B
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500B0
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F5009F
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F500C1
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F50F8D
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F50056
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F50084
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F3006C
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [13, 89]
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FC8
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF002E
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF000C
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0049
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF001D
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\lsass.exe[1140] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[1140] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\lsass.exe[1140] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\lsass.exe[1140] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F92
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90087
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90076
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F53
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F70
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F1D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F38
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C90F0C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F81
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C900B6
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C70F8D
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C70FA8
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60031
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FA6
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FC1
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\svchost.exe[1316] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\svchost.exe[1316] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1316] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C80FDB
.text C:\WINDOWS\system32\svchost.exe[1316] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1316] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F4B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0F5C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0F79
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0F94
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FA5
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0F30
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE006C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE0F0B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE00AE
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DE0EFA
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DE0051
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DE0FCA
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DE001B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DE0093
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DC0073
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DC0062
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DC0051
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0FCD
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FDE
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0044
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0029
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\svchost.exe[1396] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\svchost.exe[1396] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1396] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DD0011
.text C:\WINDOWS\system32\svchost.exe[1396] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DD0022
.text C:\WINDOWS\system32\svchost.exe[1396] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DD0033
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E00000
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E00033
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E00022
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E00F48
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E00F6F
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E00FA5
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E00066
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E00055
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E00EE8
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E00081
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02E000A6
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02E00F80
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02E00FDB
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02E00044
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02E00011
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02E00FC0
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02E00F03
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 028E001B
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 028E0073
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 028E0FCA
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 028E000A
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 028E0058
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 028E0FEF
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 028E003D
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 028E002C
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 028D0FA8
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 028D0FB9
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 028D0FDE
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 028D0000
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 028D0029
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 028D0FEF
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!socket 71AB4211 5 Bytes JMP 028C0000
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1544] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1544] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 02A70000
.text C:\WINDOWS\System32\svchost.exe[1544] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 02A70011
.text C:\WINDOWS\System32\svchost.exe[1544] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02A70FDB
.text C:\WINDOWS\System32\svchost.exe[1544] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02A7002C
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F70
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80065
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80054
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F97
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F27
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F44
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFB
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F16
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800AF
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80039
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80F55
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B8008A
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B6001B
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B60F68
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B6000A
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B60F83
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B60F9E
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D6, 88]
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B60FAF
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50FA3
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50038
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FD9
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50000
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FBE
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B5001D
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00B4000A
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1600] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1600] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[1600] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[1600] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\System32\svchost.exe[1600] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00B7002F
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C0FEF
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 3 Bytes JMP 010C0087
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtectEx + 4 7C801A65 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 3 Bytes JMP 010C0F92
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtect + 4 7C801AD8 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010C006C
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 3 Bytes JMP 010C0051
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExA + 4 7C801D57 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 3 Bytes JMP 010C0FCA
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryA + 4 7C801D7F 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 3 Bytes JMP 010C00A9
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoW + 4 7C801E58 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010C0098
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 3 Bytes JMP 010C0F17
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessW + 4 7C80233A 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 3 Bytes JMP 010C0F32
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessA + 4 7C80236F 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE30 3 Bytes JMP 010C00D5
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetProcAddress + 4 7C80AE34 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEDB 3 Bytes JMP 010C0FAF
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryW + 4 7C80AEDF 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010C0000
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010C0F77
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 010C002C
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010C001B
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010C00BA
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 010A0025
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 010A0F9E
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 010A0014
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 010A0FDE
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 010A005B
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 010A0FB9
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [2A, 89]
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 010A0040
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01090058
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 01090FCD
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01090018
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01090FEF
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0109003D
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090FDE
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1656] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1656] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 010B0000
.text C:\WINDOWS\System32\svchost.exe[1656] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 010B001B
.text C:\WINDOWS\System32\svchost.exe[1656] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 010B0036
.text C:\WINDOWS\System32\svchost.exe[1656] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 010B0FE5
.text C:\WINDOWS\system32\spoolsv.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\spoolsv.exe[1928] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\spoolsv.exe[1928] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\spoolsv.exe[1928] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\spoolsv.exe[1928] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\spoolsv.exe[1928] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2544] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2576] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2628] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\alg.exe[2896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\alg.exe[2896] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\alg.exe[2896] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\alg.exe[2896] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\alg.exe[2896] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\alg.exe[2896] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!VirtualProtectEx + 2 7C801A63 3 Bytes JMP 00C10067
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F66
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10040
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F83
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10025
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C1009D
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10082
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100AE
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F15
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C100C9
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C10F9E
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[2992] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C10F3A
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0040
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0025
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00BF0FC3
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [DF, 88]
.text C:\WINDOWS\System32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0042
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0031
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC1
.text C:\WINDOWS\System32\svchost.exe[2992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE000C
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[2992] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[2992] wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00C00000
.text C:\WINDOWS\System32\svchost.exe[2992] wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\System32\svchost.exe[2992] wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C00011
.text C:\WINDOWS\System32\svchost.exe[2992] wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C00FB6
.text C:\WINDOWS\System32\ups.exe[3092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\ups.exe[3092] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\ups.exe[3092] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\ups.exe[3092] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\ups.exe[3092] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\ups.exe[3092] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3324] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100131F8
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10013140
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012BA4
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012404
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012388
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3840] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100130F4
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe[3920] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100131F8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10013140
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10012BA4
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012404
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10012388
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4236] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100130F4
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100131F8
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10013140
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10012BA4
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012404
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10012388
.text C:\Program Files\Java\jre6\bin\jusched.exe[4408] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100130F4
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A009A
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FA5
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0073
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB6
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0047
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B5
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F6F
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C6
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F12
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0062
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0025
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F80
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FE5
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0036
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F48
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290031
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290016
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC1
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FB0
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FB9
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A006C
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0FD4
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A000A
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A005B
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0040
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A002F
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FE5
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0000
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0011
.text C:\Program Files\Messenger\MSMSGS.EXE[4428] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FCA
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[4444] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0077
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0066
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0055
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA2
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0044
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4C
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0092
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D4
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3B
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00EF
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0FB3
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F67
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0033
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0022
.text C:\WINDOWS\explorer.exe[4456] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00AF
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029002C
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F91
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290011
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FDB
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0029004E
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FAC
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\explorer.exe[4456] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029003D
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0042
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FAD
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\explorer.exe[4456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\explorer.exe[4456] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\explorer.exe[4456] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\explorer.exe[4456] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FB9
.text C:\WINDOWS\explorer.exe[4456] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C000A
.text C:\WINDOWS\explorer.exe[4456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\ctfmon.exe[4460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\ctfmon.exe[4460] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\ctfmon.exe[4460] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\ctfmon.exe[4460] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\ctfmon.exe[4460] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\ctfmon.exe[4460] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[4528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Secunia\PSI\psi.exe[4996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100131F8
.text C:\Program Files\Secunia\PSI\psi.exe[4996] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10013140
.text C:\Program Files\Secunia\PSI\psi.exe[4996] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10012BA4
.text C:\Program Files\Secunia\PSI\psi.exe[4996] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012404
.text C:\Program Files\Secunia\PSI\psi.exe[4996] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10012388
.text C:\Program Files\Secunia\PSI\psi.exe[4996] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100130F4

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACktetltnq.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACktetltnq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACktetltnq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACttoandgr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmviqjesh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACyrnjccek.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACaoylrdup.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACogixbreh.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACotfutjhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmxnwlrvo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACioinkjbq.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClxmjtqqb.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACudapmqsi.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACktetltnq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACktetltnq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACttoandgr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmviqjesh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACyrnjccek.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACaoylrdup.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACogixbreh.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACotfutjhc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmxnwlrvo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACioinkjbq.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClxmjtqqb.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACudapmqsi.log

---- EOF - GMER 1.0.15 ----

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 09 March 2009 - 09:11 PM

UACd.sys <-- ROOTKIT !!!

With this rootkit, I recommend moving to the HJT forums. One warning about rootkits.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 10 March 2009 - 11:38 AM

Well phooey. I think we were preparing for this possibility but certainly aren't thrilled about it. The more I scanned and didn't find anything, the more I thought this might be the outcome. I do think we'll go the re-install route and I thank you very much for your help.

One question I have, though, is how did this happen in the first place? How can I make sure it doesn't happen again? Or is that just not going to be something I'll know the answer to?

#14 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 AM

Posted 10 March 2009 - 01:49 PM

Infections come from many places.

You may have been the victim of a drive by infection - you visited a site that became infected and hence started infection others.

You may have visited a peer - to - peer site (p2p) that had infected downloads.

You may have downloaded some free screen saver or background that "added" more than you asked for.

You may have opened an email that had a malicous link / attachment.

You may have been using one of the instant messengers and accepted a file that had an infection.

There are several ways to become infected. The best bet is a good defense - updates / firewall / antivirus / antispyware

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 scotthk

scotthk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 10 March 2009 - 03:44 PM

OK. Yeah I know all that. We had McAfee on the computer . . . clearly some of these things get by the scans. This one escaped Malware and SUPERAntiSpyWare both . . . among others.


I'm pretty sure the Windows XP CD I have is a few years old. Is there any way to hang onto the updates somehow so I don't have to download them all from the internet again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users