Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser hijacking in firefox

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser hijacking in firefox

Unread postby mandogpds » October 16th, 2010, 10:02 pm

I run Firefox with McAfee Total protection on, Windows XP. System has started to redirect from many sites in Google searches including various security sites to other websites, Sears, Bing, ad sites, etc., etc. McAfee, Adaware, Superantispyware and Malware Bytes all indicate a clean computer. Any suggestions for this problem?
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:32:48 PM, on 10/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Seagate Replica\bin\Seagate-Replica-Service.exe
C:\Program Files\Seagate Replica\bin\Seagate-Replica-SysMon.exe
C:\Program Files\Seagate Replica\bin\Seagate-Replica-AutoPlay.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Seagate Replica\bin\Seagate-Replica-Tray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100918173745.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - S-1-5-18 Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Seagate-Replica-Service - Unknown owner - C:\Program Files\Seagate Replica\bin\Seagate-Replica-Service.exe
O23 - Service: Seagate-Replica-SysMon - Unknown owner - C:\Program Files\Seagate Replica\bin\Seagate-Replica-SysMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
Uninstall list:
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop 6.0
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Photoshop v4.0
Adobe Reader 9.4.0
Adobe Stock Photos 1.0
Adobe SVG Viewer
Canon CanoScan Toolbox 4.9
Choice Guard
Compatibility Pack for the 2007 Office system
Dell Dock
Dell Driver Reset Tool
EPSON Printer Software
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 13
Junk Mail filter update
Malwarebytes' Anti-Malware
McAfee Total Protection
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Premium
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 6.0 Parser (KB927977)
OmniPage SE 2.0
Plug-in Suite 3
PowerDVD DX
Privacy Mantra 2.07
Realtek High Definition Audio Driver
Registry Distiller
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Seagate Replica v3.0.769.8778
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Presentation Foundation
Windows Search 4.0
mandogpds
Active Member
 
Posts: 4
Joined: October 16th, 2010, 9:51 pm
Advertisement
Register to Remove

Re: browser hijacking in firefox

Unread postby peku006 » October 19th, 2010, 9:22 am

Hi mandogpds

Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: browser hijacking in firefox

Unread postby mandogpds » October 20th, 2010, 12:07 am

I ran the GMER, it crashed the computer first time (blue screen), then locked the computer up the next 3 times so I had to cold boot. I had no other programs running. I finally got the GMER to run by deselecting Files. I then ran Files separately (no hits came up running just Files). I had my E/ drive, a Seagate Replica automatic backup harddrive, unhooked and the backup software not running. Thanks, Greg
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-19 23:35:26
Windows 5.1.2600 Service Pack 3
Running: 428ylezp.exe; Driver: C:\DOCUME~1\GREGCO~1\LOCALS~1\Temp\fwloapod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EAF090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EAF0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EAF0D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EAF126]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EAF07C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EAF054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EAF068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EAF0BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EAF0FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EAF0E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EAF150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EAF13C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EAF110]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9EAF114 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B9EAF12A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B9EAF140 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP B9EAF100 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B9EAF058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B9EAF06C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP B9EAF154 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 2 Bytes JMP B9EAF0EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey + 3 806188B9 4 Bytes [89, 39, 90, 90] {MOV [ECX], EDI; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B9EAF0BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B9EAF094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B9EAF0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B9EAF0D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B9EAF080 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00730036
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0073001B
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009400B2
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00940097
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0094007A
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00940069
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940FD1
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00940F8E
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009400E0
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00940127
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00940116
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00940F73
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00940058
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00940011
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009400C3
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0094003D
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0094002C
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009400FB
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760FA1
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760FB2
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750038
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750FAD
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0075000C
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750027
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750FD2
.text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F80
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0075
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0058
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0047
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0025
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00BC
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED00AB
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0F3E
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F4F
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED00F2
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED009A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0FB9
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED00D7
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0F7C
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0044
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0029
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A60FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A60FD4
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F76
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80075
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80058
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F9B
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8003D
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F23
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F3E
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800A1
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F12
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800BC
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FB6
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F5B
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80022
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80090
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7002C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7007D
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F7006C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F7003D
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80F64
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80F7F
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A80FB5
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80FE3
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80FA4
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FC6
.text C:\WINDOWS\system32\svchost.exe[1268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B30F68
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B3005D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B3004C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B3002F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30014
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30F4D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B3009F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B30F3C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B300CB
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B30F21
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B30F83
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30FDE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30082
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30FC3
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B300BA
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B2002F
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20080
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B20014
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B2005B
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B2004A
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B10FB0
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B1003B
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B1000C
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B10FC1
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B10FD2
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B00000
.text C:\WINDOWS\System32\svchost.exe[1388] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01F90FEF
.text C:\WINDOWS\System32\svchost.exe[1388] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01F90FD4
.text C:\WINDOWS\System32\svchost.exe[1388] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01F90000
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03590FEF
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03590075
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03590064
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03590F80
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0359003D
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0359001B
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 035900AD
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0359009C
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 035900D9
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 035900C8
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03590F25
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0359002C
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03590000
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03590F65
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03590FB9
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03590FCA
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03590F4A
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03200FD4
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03200F7C
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03200FE5
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03200011
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03200F8D
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03200FA8
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [40, 8B]
.text C:\WINDOWS\System32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03200FB9
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031F0F9A
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 031F0025
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031F000A
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031F0FE3
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031F0FB5
.text C:\WINDOWS\System32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031F0FC6
.text C:\WINDOWS\System32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02910000
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 021E000A
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 021E0FE5
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 021E0FD4
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 021E0025
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740011
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780062
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F79
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F8A
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F2B
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780EFF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F10
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800B3
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F52
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780098
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770025
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770FA8
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770065
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0077004A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760F86
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FBC
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FA1
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FD7
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00E6
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F57
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F72
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F3C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00C9
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FAB
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FBC
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F80
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0075
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0058
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0047
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F59
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00A1
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F3E
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00D7
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00F2
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0090
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00BC
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0073
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0062
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F8B
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930F9C
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC1
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FE3
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0093000C
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FD2
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00910011
.text C:\WINDOWS\system32\svchost.exe[1688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0092000A
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD006B
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F76
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD004E
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0022
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00A3
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F5B
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F25
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00BE
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F0A
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F9B
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0086
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FB6
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F40
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC003D
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC00A9
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0098
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC007D
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FA1
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FCD
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\SearchIndexer.exe[2028] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2064] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\Explorer.EXE[2064] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FA000A
.text C:\WINDOWS\Explorer.EXE[2064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0214000A
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02140F99
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02140084
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02140FAA
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02140073
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02140047
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021400A9
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02140F6D
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021400CB
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02140F3C
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02140F0D
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02140062
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02140025
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02140F7E
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02140FE5
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02140036
.text C:\WINDOWS\Explorer.EXE[2064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021400BA
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02130FB9
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02130F79
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02130FCA
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02130FE5
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02130036
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02130000
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02130F94
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [33, 8A]
.text C:\WINDOWS\Explorer.EXE[2064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0213001B
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0042
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0031
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FC1
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0016
.text C:\WINDOWS\Explorer.EXE[2064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\Explorer.EXE[2064] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FB0000
.text C:\WINDOWS\Explorer.EXE[2064] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FB0011
.text C:\WINDOWS\Explorer.EXE[2064] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\Explorer.EXE[2064] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FB002C
.text C:\WINDOWS\Explorer.EXE[2064] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 9B6E2D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
mandogpds
Active Member
 
Posts: 4
Joined: October 16th, 2010, 9:51 pm

Re: browser hijacking in firefox

Unread postby peku006 » October 20th, 2010, 2:42 am

Hi mandogpds

Bing search engine is not malware, MSN Search (Live Search, Windows Live Search)has changed name to Bing
Read this:
Bing (search engine)

Change Default Search in Firefox

Do you have other problem..

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: browser hijacking in firefox

Unread postby mandogpds » October 20th, 2010, 9:51 am

My problem is having the browser redirected to other sites. For example, if I type Microsoft into Google, and the www.Microsoft.com website comes up as the first search item and I click on it Firefox says redirect and opens up a site like Information Getter or Scour or BudgetMatch, which has links to other sites but not Microsoft. The same thing happens if I try to go to www.Microsoft.com directly. This also happens with many other websites I try to go to, particularly computer security sites, but other sites too. Do I just have something set improperly in Firefox? McAfee doesn't show any infections. Thanks
mandogpds
Active Member
 
Posts: 4
Joined: October 16th, 2010, 9:51 pm

Re: browser hijacking in firefox

Unread postby mandogpds » October 20th, 2010, 10:44 am

I think I have resolved the issue. I went into the Firefox Tools, selected options, and turned off Accept Third Party cookies. Noe I can access the Microsoft website and various computer company security websites without being redirected to advertising websites. I hope this was the only problem. Thank you.
mandogpds
Active Member
 
Posts: 4
Joined: October 16th, 2010, 9:51 pm

Re: browser hijacking in firefox

Unread postby peku006 » October 21st, 2010, 4:22 am

As this issue appears to be resolved, this topic is now closed.

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 382 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware