Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/search engine redirect


  • Please log in to reply
21 replies to this topic

#1 seminolegirl850

seminolegirl850

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 01 August 2009 - 01:47 PM

When I do a search using Google, any results get redirected to random websites. If I close down my browser and restart, sometimes it will let me go to a search page at first, then redirect after that. This was also happening with Yahoo. Only after I searched from another search engine did I realize that this may be a virus. I completed McAfee, SuperAntiSpyware and Malwarebytes scans. (I have Windows XP and use Firefox for internet)

Here is my Malwarebytes log:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/1/2009 12:01:50 PM
mbam-log-2009-08-01 (12-01-50).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 155338
Time elapsed: 26 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is my SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/01/2009 at 01:12 PM

Application Version : 4.27.1000

Core Rules Database Version : 4032
Trace Rules Database Version: 1972

Scan type : Complete Scan
Total Scan Time : 01:03:35

Memory items scanned : 479
Memory threats detected : 0
Registry items scanned : 6354
Registry threats detected : 0
File items scanned : 55856
File threats detected : 0

After I ran these two, I ran the McAfee scan again, it found 1 potentially harmful item and removed it. I restarted, went to Google, and it was still redirecting. What should I do next?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 01 August 2009 - 02:07 PM

Will MBAM update?

Use the update tab

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 August 2009 - 09:11 AM

Yes, MBAM will update. I updated and performed the Quick Scan, and no items were found. Here is the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2546
Windows 5.1.2600 Service Pack 3

8/2/2009 10:04:03 AM
mbam-log-2009-08-02 (10-04-03).txt

Scan type: Quick Scan
Objects scanned: 97592
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It is still redirecting. What should I do next?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 02 August 2009 - 09:58 AM

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Chewy

No. Try not. Do... or do not. There is no try.

#5 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 August 2009 - 12:20 PM

Here it is:

GooredFix by jpshortstuff (12.07.09)
Log created at 13:15 on 02/08/2009 (Ms.Miko)
Firefox version 3.0.12 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:42 28/08/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [14:00 03/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:13 19/06/2009]

-=E.O.F=-

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 02 August 2009 - 12:33 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Chewy

No. Try not. Do... or do not. There is no try.

#7 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 August 2009 - 12:41 PM

Here it is: (and thanks for getting back to me so quickly! )

SmitFraudFix v2.423

Scan done at 13:34:53.32, Sun 08/02/2009
Run from C:\Documents and Settings\Ms.Miko\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ms.Miko\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Ms.Miko


C:\DOCUME~1\MS7F8D~1.MIK\LOCALS~1\Temp


C:\Documents and Settings\Ms.Miko\Application Data


Start Menu


C:\DOCUME~1\MS7F8D~1.MIK\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.74.166
DNS Server Search Order: 68.87.68.166

HKLM\SYSTEM\CCS\Services\Tcpip\..\{31A7643F-3E4F-4CAB-8043-1D24699053DE}: DhcpNameServer=68.87.74.166 68.87.68.166
HKLM\SYSTEM\CS1\Services\Tcpip\..\{31A7643F-3E4F-4CAB-8043-1D24699053DE}: DhcpNameServer=68.87.74.166 68.87.68.166
HKLM\SYSTEM\CS2\Services\Tcpip\..\{31A7643F-3E4F-4CAB-8043-1D24699053DE}: DhcpNameServer=68.87.74.166 68.87.68.166
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.166 68.87.68.166
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.166 68.87.68.166
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.166 68.87.68.166


Scanning for wininet.dll infection


End

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 02 August 2009 - 01:37 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#9 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 August 2009 - 03:22 PM

Here is the gmer log:

GMER 1.0.15.15011 [g1zcjkpn.exe] - http://www.gmer.net
Rootkit scan 2009-08-02 16:16:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB185D9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB185DA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB185D958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB185D96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB185DA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB185DA81]
Code 8A1A6B90 ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB185DAD9]
Code 8A1993C8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB185D9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB185DB1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB185DA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB185D930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB185D944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB185D9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB185DB5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB185DAC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB185DAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB185DA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB185DB46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB185DB32]
Code 89EECEFE ZwSaveKey
Code 8A182526 ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB185D996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB185D982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB185DA97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB185DA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB185DB08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB185DA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB185D9D4]
Code 8A0E8AF6 IofCallDriver
Code 89E8D966 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8A0E8AFB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 89E8D96B
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP B185D9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP B185DA31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP B185DAB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP B185D9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP B185D986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP B185DA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP B185DB5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8A1A6B94
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP B185D934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP B185D9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP B185DA9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP B185DA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP B185D9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8A1993CC
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP B185D970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP B185DA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP B185D948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP B185DB22 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP B185DADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP B185DA85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP B185DA59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP B185D95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP B185D99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP B185DB0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP B185DAC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP B185DA6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP B185DB36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 89EECF02
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 8A18252A
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP B185DB4A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0098
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0073
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0062
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0FA5
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00D0
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F7E
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F59
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00F2
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0F48
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE00A9
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00E1
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0055
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0033
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0044
.text C:\WINDOWS\system32\svchost.exe[332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0018
.text C:\WINDOWS\system32\svchost.exe[332] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[332] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[332] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[332] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F7E
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0073
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0FA5
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0062
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0047
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00AB
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE009A
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00E1
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE00D0
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE0F2D
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0FC0
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE001B
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0F6D
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE0F48
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD0F83
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DD0F9E
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FD, 88]
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0F84
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0F95
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FC1
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FE3
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0FA6
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FD2
.text C:\WINDOWS\system32\svchost.exe[500] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[500] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00DB000A
.text C:\WINDOWS\system32\svchost.exe[500] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[500] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00DB0FB9
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012A0FEF
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012A0F9E
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012A0093
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012A0FB9
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012A0076
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012A004A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012A0F61
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012A0F72
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012A00D5
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012A00C4
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012A00E6
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012A005B
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012A0FDE
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012A0F8D
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012A002F
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012A0014
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012A0F50
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011D0047
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011D0FA5
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011D0036
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011D001B
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011D0FC0
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011D000A
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011D0062
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011D0FDB
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011C0055
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 011C003A
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011C0FD4
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011C0029
.text C:\WINDOWS\system32\services.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011C000C
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 011A0FEF
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 011A0FDE
.text C:\WINDOWS\system32\services.exe[708] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 011A0025
.text C:\WINDOWS\system32\services.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01100F66
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01100F81
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01100F92
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01100FAF
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0110002C
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0110009D
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0110008C
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01100F15
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01100F30
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011000C9
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01100051
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01100FE5
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01100F55
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01100FC0
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0110001B
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011000B8
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50058
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5000A
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40058
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40011
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D4002C
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FE3
.text C:\WINDOWS\system32\lsass.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01060F6F
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060F94
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0106006E
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060051
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060FB9
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F32
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F4D
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01060F21
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010600B0
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010600CB
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060036
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0106001B
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060F5E
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060095
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01050040
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01050F83
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01050F9E
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0038
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0027
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012A0FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012A0054
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012A0043
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012A0032
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012A0F75
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012A0F97
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012A009D
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012A0076
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012A0F15
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012A00B8
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012A0F04
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012A0F86
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012A0FD4
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012A0065
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012A0FA8
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012A0FC3
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012A0F3A
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01290FDE
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01290080
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0129002F
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01290FEF
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0129006F
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01290000
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01290054
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01290FCD
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0042
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FC8
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025E0FEF
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025E0F5E
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025E0053
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025E0042
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025E0F79
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025E0F9E
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025E0F1C
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025E0F2D
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025E00B5
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025E00A4
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025E00C6
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025E0025
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025E0000
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025E0064
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025E0FAF
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025E0FCA
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025E007F
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025D0025
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025D004A
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025D0000
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025D0FCA
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025D0F8D
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025D0FE5
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025D0FA8
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7D, 8A] {JGE 0xffffffffffffff8c}
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025D0FB9
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025C0044
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 025C0FC3
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025C0018
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025C0FEF
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025C0029
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025C0FDE
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 021E0000
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 021E0FE5
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 021E001B
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 021E0036
.text C:\WINDOWS\System32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021F0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1192] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007E000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0071
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F7C
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0F97
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0FA8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC009F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0082
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00DF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F46
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0104
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FB9
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0F61
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0025
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC00C4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB002F
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB006C
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FDE
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AB0051
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB0040
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0055
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA003A
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0029
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80062
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80047
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F79
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F2E
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F4B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80EF8
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80091
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800B6
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F5C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F1D
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70FC0
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F8A
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FDB
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FA5
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C7002C
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FC8
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C6005D
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60027
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60042
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00C40FCD
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00C40028
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C5000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1384] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\WINDOWS\Explorer.EXE[1480] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E90FEF
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E90075
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E90064
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E90047
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E90F94
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E90025
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E900C1
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E90F6F
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E900F7
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E90F54
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E90F39
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E90036
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E90FD4
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E90090
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E9000A
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E90FB9
.text C:\WINDOWS\Explorer.EXE[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E900D2
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A0003D
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A00FB6
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A0002C
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A00011
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A00FC7
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A00000
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01A00069
.text C:\WINDOWS\Explorer.EXE[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A00058
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019D0FCF
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 019D005A
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019D002E
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019D0000
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019D003F
.text C:\WINDOWS\Explorer.EXE[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019D001D
.text C:\WINDOWS\Explorer.EXE[1480] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\Explorer.EXE[1480] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00DA000A
.text C:\WINDOWS\Explorer.EXE[1480] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\Explorer.EXE[1480] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00DA0FC3
.text C:\WINDOWS\Explorer.EXE[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01840FEF
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1840] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 08B2000A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1856] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\ctfmon.exe[1916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0870000A
.text C:\WINDOWS\system32\svchost.exe[2168] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F6F
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90058
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D900B0
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F5E
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F28
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F43
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900DC
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D9007F
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[2168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900CB
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80F6B
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FC3
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80F7C
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D80F97
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F8, 88]
.text C:\WINDOWS\system32\svchost.exe[2168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FB7
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70038
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70027
.text C:\WINDOWS\system32\svchost.exe[2168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FE3
.text C:\WINDOWS\system32\svchost.exe[2168] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[2168] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[2168] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[2168] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00D60FD4
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2184] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2216] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2316] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 087D000A
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2504] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfocesemdxvnt.sys (*** hidden *** ) [SYSTEM] vsfocevpyfrbnb <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb@imagepath \systemroot\system32\drivers\vsfocesemdxvnt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocesemdxvnt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules@vsfocecmd.dll \systemroot\system32\vsfocenqwmcrlq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules@vsfocelog.dat \systemroot\system32\vsfocedylrjiee.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules@vsfocewsp.dll \systemroot\system32\vsfocecfmoufwu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocevpyfrbnb\modules@vsfoce.dat \systemroot\system32\vsfocejglmrfti.dat
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb@imagepath \systemroot\system32\drivers\vsfocesemdxvnt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocesemdxvnt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules@vsfocecmd.dll \systemroot\system32\vsfocenqwmcrlq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules@vsfocelog.dat \systemroot\system32\vsfocedylrjiee.dat
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules@vsfocewsp.dll \systemroot\system32\vsfocecfmoufwu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocevpyfrbnb\modules@vsfoce.dat \systemroot\system32\vsfocejglmrfti.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\vsfocesemdxvnt.sys 64000 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\vsfocecfmoufwu.dll 18432 bytes
File C:\WINDOWS\system32\vsfocedylrjiee.dat 39135 bytes
File C:\WINDOWS\system32\vsfocejglmrfti.dat 91 bytes
File C:\WINDOWS\system32\vsfocenqwmcrlq.dll 38912 bytes
File C:\WINDOWS\Temp\vsfoceosidwfpxdk.tmp 91 bytes
File C:\WINDOWS\Temp\vsfocewmsupauvxy.tmp 91 bytes

---- EOF - GMER 1.0.15 ----

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 02 August 2009 - 04:17 PM

One more rootkit scanner please

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

or

http://ad13.geekstogo.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image

When the file scan complete go to this line and hightlight it

File C:\WINDOWS\system32\drivers\vsfocesemdxvnt.sys

Rightclick and select wipe file

Now reboot and run a scan with MBAM

It's critical that you update MBAM first
Chewy

No. Try not. Do... or do not. There is no try.

#11 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 August 2009 - 12:32 PM

After I ran the Root Repeal scan, wiped the C:\WINDOWS... file and rebooted, something strange happened to the display clock on my screen. It will now only display military time! When I tried to go back into Root Repeal to pull up the scan log, I couldn't.

I updated and ran a MBAM scan. Here is the log:
Malwarebytes' Anti-Malware 1.39
Database version: 2550
Windows 5.1.2600 Service Pack 3

8/3/2009 1:22:26 PM
mbam-log-2009-08-03 (13-22-26).txt

Scan type: Quick Scan
Objects scanned: 97574
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 August 2009 - 04:36 PM

Run the rootrepeal file scan again and post the log
Chewy

No. Try not. Do... or do not. There is no try.

#13 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 August 2009 - 07:15 PM

Here it is:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 20:09
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_qdud1avujezcnga
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_5wpkzlufcgubx1v
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_8tfujrgbpqgnbvp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ehfadczc0x7m22k
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_sopm5wfagx7gzyf
Status: Allocation size mismatch (API: 4096, Raw: 0)

#14 seminolegirl850

seminolegirl850
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 05 August 2009 - 05:20 PM

The Google search appears to be working now, but my clock is still doing the weird time thing. It happened after one of those scans. I'm not sure how to fix it.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 05 August 2009 - 05:34 PM

Go to region and language options in control panel
and use the customize button

time tab

change back from military

Smitfraudfix does it sometimes?

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

This thread got lost from ones i was tracking, sorry about that
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users