Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google search on firefox, opera & IE bring up advertising

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google search on firefox, opera & IE bring up advertising

Unread postby pacificocean » February 1st, 2009, 5:10 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:43 PM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Documents and Settings\Administrator\Application Data\Smilebox\SmileboxTray.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\eFax Messenger 4.3\J2GTray.exe
F:\Program Files\j2 Messenger 4.2\J2GTray.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\cisvc.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\system32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\mqsvc.exe
F:\WINDOWS\system32\mqtgsvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\Program Files\Safari\Safari.exe
F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - f:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] "F:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [j2 4.2] "F:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eFax 4.3] "F:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [McENUI] F:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [NSSInstallation] F:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SmileboxTray] "F:\Documents and Settings\Administrator\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax 4.3.lnk = F:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: j2 4.2.lnk = F:\Program Files\j2 Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://F:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://F:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///F:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 1: (no name) - file:///F:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 2: (no name) - http://www.lindagadbois.com/YELLOW-PARROT.jpg

--
End of file - 13395 bytes

I have used Firefox for a long time. Recently, whenever I do a search via Google, I get advertising sites, posing as, for example, craigslist, and not the site I was looking for or normally see. I uninstalled firefox and re-installed it. Same problem. I installed Opera - same problem. IE, same problem. But not, so far, thank goodness, with Safari. Hope you can help me figure this out! Thank you so much.

ps - When I go to Start and System Tools - that folder is empty. Should it be?
pacificocean
Active Member
 
Posts: 3
Joined: February 1st, 2009, 4:59 pm
Advertisement
Register to Remove

Re: Google search on firefox, opera & IE bring up advertising

Unread postby ndmmxiaomayi » February 25th, 2009, 9:54 am

Hi pacificocean,

Step 1

Please download DDS from Bleeping Computer and save it to your desktop.

Double click on dds to run it.

When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.

Please attach Attach.txt in your next reply by scrolling down to Upload attachment and clicking on Browse....

An image is below for your reference:

Image

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt (attached to this topic)
  3. Gmer.txt
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Google search on firefox, opera & IE bring up advertising

Unread postby pacificocean » February 25th, 2009, 12:43 pm

Thank you for your help. I hope I've done this correctly.

DDS.txt – Notepad

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 7:51:10.39 on Wed 02/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.371 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\WINDOWS\system32\igfxtray.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Documents and Settings\Administrator\Application Data\Smilebox\SmileboxTray.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\eFax Messenger 4.3\J2GTray.exe
F:\Program Files\j2 Messenger 4.2\J2GTray.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\WINDOWS\system32\cisvc.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\PROGRA~1\AVG\AVG8\avgnsx.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\system32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\mqsvc.exe
F:\WINDOWS\system32\mqtgsvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\dllhost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - f:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - f:\program files\mcafee\virusscan\scriptsn.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] f:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [swg] f:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SmileboxTray] "f:\documents and settings\administrator\application data\smilebox\SmileboxTray.exe"
uRun: [Picasa Media Detector] f:\program files\picasa2\PicasaMediaDetector.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [DW4] "f:\program files\the weather channel fw\desktop weather\DesktopWeather.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "f:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Aim6] "f:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Uniblue RegistryBooster 2009] f:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] f:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mcagent_exe] "f:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LVCOMSX] "f:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [LogitechCommunicationsManager] "f:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [j2 4.2] "f:\program files\j2 messenger 4.2\J2GDllCmd.exe" /R
mRun: [IgfxTray] f:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] f:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [eFax 4.3] "f:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [AppleSyncNotifier] f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [McENUI] f:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
StartupFolder: f:\documents and settings\administrator\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - f:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\j242~1.lnk - f:\program files\j2 messenger 4.2\J2GTray.exe
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://f:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://f:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - f:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: plaxo.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - f:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z1xxhayd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com
FF - component: f:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: f:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: f:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: f:\program files\google\picasa3\npPicasa2.dll
FF - plugin: f:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2009-2-2 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2009-2-2 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2009-2-2 107272]
R1 mfehidk;McAfee Inc. mfehidk;f:\windows\system32\drivers\mfehidk.sys [2007-2-6 207656]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298264]
R2 Iprip;RIP Listener;f:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;f:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 206096]
R2 McProxy;McAfee Proxy Service;f:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-1 358736]
R2 McShield;McAfee Real-time Scanner;f:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-6 144704]
R3 McSysmon;McAfee SystemGuards;f:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-6 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;f:\windows\system32\drivers\mfeavfk.sys [2007-2-6 79240]
R3 mfebopk;McAfee Inc. mfebopk;f:\windows\system32\drivers\mfebopk.sys [2007-2-6 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;f:\windows\system32\drivers\mfesmfk.sys [2007-2-6 40488]
S3 mferkdk;McAfee Inc. mferkdk;f:\windows\system32\drivers\mferkdk.sys [2007-2-6 34152]
S3 TMPassthruMP;TMPassthruMP;f:\windows\system32\drivers\tmpassthru.sys --> f:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-22 23:38 25,740,144 a------- F:\wmp11-windowsxp-x86-enu.exe
2009-01-19 00:50 55,876 a---h--- f:\windows\system32\mlfcache.dat
2009-01-05 14:33 3,751,995 a------- f:\windows\system32\GPhotos.scr
2009-01-03 19:49 20,660,760 a------- F:\SafariSetup.exe
2008-12-20 15:15 826,368 a------- f:\windows\system32\wininet.dll
2008-06-16 10:33 61,480 a------- f:\documents and settings\administrator\GoToAssistDownloadHelper.exe
2008-10-27 09:57 16,384 a--sh--- f:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-04 08:25 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat
2008-10-27 09:57 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 7:52:24.65 ===============

(Here is GMER after I did the scan. I also copied it before scan if you need that - wasn't sure)


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-25 08:22:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE3E49CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE3E4A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE3E4978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE3E498C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE3E4A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE3E4AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE3E4B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE3E4AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3E4A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE3E4B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE3E4A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE3E4950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE3E4964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE3E49DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE3E4B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE3E4AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE3E4ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE3E4A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE3E4B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE3E4B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE3E49B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE3E49A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE3E4AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE3E4A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE3E4B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE3E4A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3E49F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EE3E49F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EE3E4A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EE3E4AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EE3E49CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EE3E49A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EE3E4A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EE3E4B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP EE3E4B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EE3E4954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EE3E49E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EE3E4ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EE3E4A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EE3E4A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EE3E4990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EE3E4A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EE3E4968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EE3E4B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EE3E4AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EE3E4AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EE3E4A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EE3E497C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP EE3E49BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP EE3E4B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP EE3E4AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP EE3E4A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP EE3E4B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP EE3E4B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700B2
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070097
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070086
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FBD
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070044
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700EA
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700CD
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070127
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070116
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0007014C
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007005F
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070011
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070FAC
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070033
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070022
.text F:\WINDOWS\system32\services.exe[652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070105
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006002C
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F94
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060011
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FA5
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006003D
.text F:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FB6
.text F:\WINDOWS\system32\services.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00FAF
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0009A
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00FC0
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F0007D
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00051
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F000D5
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F8D
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000FA
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F57
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F0010B
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F00062
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F0001B
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F00F9E
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F00040
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F00FE5
.text F:\WINDOWS\system32\lsass.exe[664] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F00F72
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EF0FB9
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EF0051
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EF000A
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EF0FDE
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EF0040
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EF0FEF
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EF002F
.text F:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EF0F9E
.text F:\WINDOWS\system32\lsass.exe[664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40076
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40065
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40054
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40F97
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FCD
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E400A2
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40091
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F2E
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400BD
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E40F13
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E40FB2
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40014
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E40F70
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E40FDE
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40025
.text F:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E40F3F
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30FA8
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E30025
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E30FC3
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E30FD4
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30F68
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30FEF
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E30F83
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 03, 89 ]
.text F:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E3000A
.text F:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0000
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FE5
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0F88
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF007D
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF006C
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF005B
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FB9
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F50
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F61
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF0F2E
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00C7
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DF00E2
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DF0040
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DF000A
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DF0098
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DF0025
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DF0FD4
.text F:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DF0F3F
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DE003D
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DE0FAF
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DE0022
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DE0011
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DE0FC0
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DE0000
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DE0FD1
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FE, 88 ]
.text F:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DE0058
.text F:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02510FE5
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02510F63
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02510F88
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02510062
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02510051
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02510FAF
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02510090
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0251007F
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025100C6
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02510F23
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025100D7
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02510036
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02510000
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02510F52
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02510FCA
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0251001B
.text F:\WINDOWS\System32\svchost.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025100A1
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02290FD4
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02290040
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02290025
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02290014
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02290F8D
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02290FEF
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02290F9E
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 8A ]
.text F:\WINDOWS\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02290FB9
.text F:\WINDOWS\System32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01460FEF
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 022A0FEF
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 022A0000
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 022A0FCA
.text F:\WINDOWS\System32\svchost.exe[948] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 022A0FAF
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F48
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F63
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F74
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0078003D
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780022
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780084
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780073
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780EF5
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F06
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00780ED0
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00780FA5
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00780000
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00780062
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00780011
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00780FCA
.text F:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00780F21
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00770FCA
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00770087
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0077001B
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0077000A
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0077006C
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00770FEF
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0077005B
.text F:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00770040
.text F:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01830000
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01830F88
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0183007D
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0183006C
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0183005B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01830FCA
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018300A2
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01830F5A
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018300C4
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01830F35
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 018300DF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01830FAF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0183001B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01830F77
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01830FDB
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01830036
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 018300B3
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0182002C
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01820F91
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0182001B
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01820FEF
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01820FB6
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01820000
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01820058
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0182003D
.text F:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01760000
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60082
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F97
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60071
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FA8
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60040
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F4D
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60093
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F32
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600CB
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C600E6
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C60FC3
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C60FEF
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C60F68
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C60FD4
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C60025
.text F:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C600BA
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C4002C
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C40FB6
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C4001B
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C40FE5
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C40073
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C40000
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C40062
.text F:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C40047
.text F:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C5000A
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C50025
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C50FE5
.text F:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C50036
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F52
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0047
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F6D
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A006E
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F26
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AE
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F15
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EFA
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0036
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0000
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F41
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCA
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B
.text F:\WINDOWS\system32\dllhost.exe[1504] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0093
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A002C
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0070
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0011
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FDB
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A005F
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A004E
.text F:\WINDOWS\system32\dllhost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A003D
.text F:\WINDOWS\system32\dllhost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F94
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60093
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60FB9
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60076
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60040
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60F68
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F79
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60F3C
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600D5
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E60F17
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E6005B
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E6000A
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E600A4
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E60025
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E60FDE
.text F:\WINDOWS\Explorer.EXE[1636] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E60F57
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CB002C
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CB0058
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CB001B
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CB0000
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CB003D
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CB0FEF
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CB0FA5
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EB, 88 ]
.text F:\WINDOWS\Explorer.EXE[1636] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CB0FC0
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CC0FEF
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CC000A
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CC0025
.text F:\WINDOWS\Explorer.EXE[1636] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CC0036
.text F:\WINDOWS\Explorer.EXE[1636] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FE5
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10FEF
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10045
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10F46
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E10F57
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10F72
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10F9E
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10F1A
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10062
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E10EEE
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E10091
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E10ED3
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E10F8D
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E10FD4
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreatePipe 7C81D827 1 Byte [ E9 ]
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreatePipe + 2 7C81D829 3 Bytes [ 36, 5F, 84 ]
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E10FAF
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E10000
.text F:\Program Files\Messenger\msmsgs.exe[1916] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E10F09
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DF0FD1
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DF0F94
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DF0022
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DF0011
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DF0FAF
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DF0000
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DF0047
.text F:\Program Files\Messenger\msmsgs.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DF0FC0
.text F:\Program Files\Messenger\msmsgs.exe[1916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0FEF
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E00000
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E0001B
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E0002C
.text F:\Program Files\Messenger\msmsgs.exe[1916] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E00047
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2304] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F4D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F5E
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F6F
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8002C
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8001B
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F30
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80078
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F04
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B8009D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800AE
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F94
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FD4
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B8005D
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FAF
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B8000A
.text F:\WINDOWS\system32\svchost.exe[2964] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F1F
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B7002F
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70FA5
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FD4
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FEF
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B7006C
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B70051
.text F:\WINDOWS\system32\svchost.exe[2964] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70040
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006E
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F79
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8A
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC0
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0089
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F4D
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00B5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1C
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D0
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0047
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F68
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0036
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FE5
.text F:\WINDOWS\system32\dllhost.exe[4216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00A4
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0036
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A005B
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A001B
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FEF
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F9E
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002A0FB9
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4A, 88 ]
.text F:\WINDOWS\system32\dllhost.exe[4216] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FCA
.text F:\WINDOWS\system32\dllhost.exe[4216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250FEF
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0025005B
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250040
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0025002F
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250F72
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250F9E
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0025009A
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250089
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250F15
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250F26
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002500C9
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00250F8D
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00250000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0025006C
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250FC3
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00250FD4
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00250F37
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00350FB9
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00350051
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00350FCA
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00350FE5
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00350F9E
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00350000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00350040
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00350025
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02EE0FEF
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02EE0000
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02EE0FC0
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02EE0011
.text F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[4500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03400FEF

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----
You do not have the required permissions to view the files attached to this post.
pacificocean
Active Member
 
Posts: 3
Joined: February 1st, 2009, 4:59 pm

Re: Google search on firefox, opera & IE bring up advertising

Unread postby ndmmxiaomayi » February 25th, 2009, 8:07 pm

Hi pacificocean,

You have more than 1 antivirus programs installed on your computer.

They are:

  1. McAfee Antivirus
  2. AVG Antivirus

This is not recommended as it can cause system instabilities. Having more than one antivirus programs also doesn't mean more protection for your computer, but may lower your computer's defenses.

Please choose to keep either AVG Antivirus or Norton Internet Security. You can uninstall either one of them via Start > Control Panel and double clicking on Add/Remove Programs.

Once you've removed one of the antivirus programs, please restart your computer.

Please let me know when you're done.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Google search on firefox, opera & IE bring up advertising

Unread postby pacificocean » February 25th, 2009, 10:05 pm

Shoot. I had to go out of town and won't be back to my home computer with the problem til March 11. I will do what you recommended when I get back, though, and delete Norton and then re-contact you if that's OK. I thought I'd read somewhere that it was good to have more than one security/anti-virus system. But I actually thought that would be confusing for my computer, too.
Thanks again.
pacificocean
Active Member
 
Posts: 3
Joined: February 1st, 2009, 4:59 pm

Re: Google search on firefox, opera & IE bring up advertising

Unread postby ndmmxiaomayi » February 26th, 2009, 8:33 am

No problems. When you are back, you can send me a message. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Google search on firefox, opera & IE bring up advertising

Unread postby NonSuch » March 8th, 2009, 5:53 pm

Due to a lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 104 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware