Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

google redirect/xp security virus/browser hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 24th, 2011, 2:18 pm

dear reader:
my problems began as a browser hijack then after i thought i had cleared that up by buying their software "antimalware something" then the xp security virus thing took over...now the computer powers down at will and when i try to google
anything i am redirected to weird websites. Further, i am unable to get the computer to boot up for long periods of time.
I have attaced the dds text log and the attach text log i hope i have followed all the instructions properly to get help...
i'm not a great computer person so please bear with me and please help me...

thanks in advance & best regards,
b2thej1


dds text...
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ABC STUDENT at 12:56:33.64 on Sun 04/24/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1070 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\env.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\Imgtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ABC STUDENT\My Documents\Downloads\dds.scr
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.jzip.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110423004836.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Browser protection: {fb9ffb4b-9680-4256-8178-5ecdb2c19b23} - c:\progra~1\spynom~1\SNMIEG~1.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [arg70techsdk.exe] c:\documents and settings\abc student\application data\f82f01b0682a4e0ca7f43f487e30b41a\arg70techsdk.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ImgTask] c:\windows\Imgtask.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Jtajozili] rundll32.exe "c:\windows\iviqicox.dll",Startup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [MRtPNAFMRSnT] c:\documents and settings\all users\application data\MRtPNAFMRSnT.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\abcstu~1\startm~1\programs\startup\antima~1.lnk - c:\documents and settings\abc student\application data\f82f01b0682a4e0ca7f43f487e30b41a\arg70techsdk.exe
StartupFolder: c:\docume~1\abcstu~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
Notify: lonerty - c:\documents and settings\localservice\local settings\application data\lonerty.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\abcstu~1\applic~1\mozilla\firefox\profiles\uq02s0i7.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?clien ... n_dtid=&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\abc student\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\abc student\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\abc student\application data\mozilla\firefox\profiles\uq02s0i7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {44CFD17F-A308-4B13-B326-93402B0665F2} - c:\documents and settings\abc student\local settings\application data\{44CFD17F-A308-4B13-B326-93402B0665F2}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\abc student\application data\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-1-14 3456]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-4-23 84072]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-23 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-23 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-23 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-23 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-4-23 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-4-23 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-22 141792]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-9-3 444224]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-23 55840]
R3 EraserUtilDrvI10;EraserUtilDrvI10;c:\program files\common files\symantec shared\eengine\EraserUtilDrvI10.sys [2011-4-15 102448]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-23 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-23 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-23 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-4-23 88544]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110415.002\naveng.sys [2011-4-15 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110415.002\navex15.sys [2011-4-15 1393144]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-4-23 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-23 84264]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-11-12 14424]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\sqd.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-04-23 19:03:24 -------- d-sh--w- c:\documents and settings\abc student\IECompatCache
2011-04-23 05:48:36 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2011-04-23 05:48:34 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-23 05:48:23 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-23 05:48:23 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-23 05:48:23 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-23 05:48:23 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-23 05:48:22 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-23 05:48:22 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-23 05:48:22 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-23 05:48:14 -------- d-----w- c:\program files\common files\Mcafee
2011-04-23 05:48:13 -------- dc----w- c:\program files\McAfee.com
2011-04-23 05:47:48 -------- dc----w- c:\program files\McAfee
2011-04-23 00:15:56 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-22 02:09:28 -------- dc----w- c:\program files\DVDFab 8
2011-04-21 12:16:47 529466 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-21 07:37:36 569344 ---ha-w- c:\docume~1\alluse~1\applic~1\MRtPNAFMRSnT.exe
2011-04-21 06:09:54 -------- d--h--w- c:\windows\system32\Adobe
2011-04-21 06:03:55 53248 -c-ha-w- c:\windows\system32\6to4v32.dll
2011-04-21 06:03:52 34816 ---ha-w- c:\windows\system32\itlnfw32.dll
2011-04-21 06:03:52 215552 ---ha-w- c:\windows\system32\itlpfw32.dll
2011-04-20 23:40:55 0 -c-ha-w- c:\windows\Fpemita.bin
2011-04-20 23:40:54 -------- d--h--w- c:\docume~1\abcstu~1\locals~1\applic~1\{44CFD17F-A308-4B13-B326-93402B0665F2}
2011-04-20 23:40:25 -------- d--h--w- c:\docume~1\abcstu~1\applic~1\F82F01B0682A4E0CA7F43F487E30B41A
.
==================== Find3M ====================
.
2011-04-24 17:51:26 17408 ---ha-w- c:\windows\system32\rpcnetp.dll
2011-04-24 17:51:24 56680 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-24 17:26:41 17408 ---ha-w- c:\windows\system32\rpcnetp.exe
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ---ha-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ---ha-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
2011-02-15 20:33:42 34816 ---ha-w- c:\windows\system32\identprv.dll
2011-02-15 12:56:39 290432 ---ha-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ---ha-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ---ha-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ---ha-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ---ha-w- c:\windows\system32\mstsc.exe
2009-03-27 21:46:45 2869536 -c-ha-w- c:\program files\spywareblastersetup41.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541660J9SA00 rev.SBBOC7KP -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6534F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6597d0]; MOV EAX, [0x8a65984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A63BAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A592CE8]
\Driver\atapi[0x8A5E9A78] -> IRP_MJ_CREATE -> 0x8A6534F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A65333B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:59:21.73 ===============


attach text
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/30/2008 2:39:33 PM
System Uptime: 4/24/2011 12:49:24 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WY383
Processor: Mobile AMD Sempron(tm) Processor 3600+ | Socket M2/S1G1 | 1994/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 56 GiB total, 23.845 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP662: 1/21/2011 7:43:57 PM - System Checkpoint
RP663: 1/22/2011 8:11:56 PM - System Checkpoint
RP664: 1/23/2011 8:31:13 PM - System Checkpoint
RP665: 1/24/2011 8:40:27 PM - System Checkpoint
RP666: 1/25/2011 9:31:14 PM - System Checkpoint
RP667: 1/26/2011 10:43:11 PM - System Checkpoint
RP668: 1/27/2011 11:31:14 PM - System Checkpoint
RP669: 1/29/2011 12:43:46 AM - System Checkpoint
RP670: 1/30/2011 1:31:14 AM - System Checkpoint
RP671: 1/31/2011 2:31:14 AM - System Checkpoint
RP672: 2/1/2011 3:31:11 AM - System Checkpoint
RP673: 2/2/2011 4:32:17 AM - System Checkpoint
RP674: 2/3/2011 4:32:29 AM - System Checkpoint
RP675: 2/4/2011 5:32:28 AM - System Checkpoint
RP676: 2/5/2011 6:32:31 AM - System Checkpoint
RP677: 2/6/2011 7:32:30 AM - System Checkpoint
RP678: 2/7/2011 8:32:30 AM - System Checkpoint
RP679: 2/8/2011 9:32:29 AM - System Checkpoint
RP680: 2/9/2011 3:00:16 AM - Software Distribution Service 3.0
RP681: 2/10/2011 3:26:08 AM - System Checkpoint
RP682: 2/11/2011 4:26:04 AM - System Checkpoint
RP683: 2/12/2011 4:50:38 AM - System Checkpoint
RP684: 2/13/2011 5:26:06 AM - System Checkpoint
RP685: 2/15/2011 8:56:48 PM - System Checkpoint
RP686: 2/16/2011 9:33:07 PM - System Checkpoint
RP687: 2/17/2011 10:18:23 PM - System Checkpoint
RP688: 2/18/2011 11:17:29 PM - System Checkpoint
RP689: 2/19/2011 11:33:39 PM - System Checkpoint
RP690: 2/21/2011 12:14:02 AM - System Checkpoint
RP691: 2/22/2011 1:14:02 AM - System Checkpoint
RP692: 2/23/2011 2:14:02 AM - System Checkpoint
RP693: 2/24/2011 3:00:14 AM - Software Distribution Service 3.0
RP694: 2/25/2011 3:22:27 AM - System Checkpoint
RP695: 2/26/2011 4:22:28 AM - System Checkpoint
RP696: 2/27/2011 5:22:27 AM - System Checkpoint
RP697: 2/28/2011 6:22:28 AM - System Checkpoint
RP698: 3/1/2011 7:22:29 AM - System Checkpoint
RP699: 3/2/2011 8:22:27 AM - System Checkpoint
RP700: 3/3/2011 8:33:47 AM - System Checkpoint
RP701: 3/4/2011 9:33:45 AM - System Checkpoint
RP702: 3/5/2011 10:33:45 AM - System Checkpoint
RP703: 3/6/2011 12:15:14 PM - System Checkpoint
RP704: 3/7/2011 12:33:45 PM - System Checkpoint
RP705: 3/8/2011 1:33:46 PM - System Checkpoint
RP706: 3/9/2011 1:46:09 PM - System Checkpoint
RP707: 3/10/2011 3:00:14 AM - Software Distribution Service 3.0
RP708: 3/11/2011 3:46:08 AM - System Checkpoint
RP709: 3/12/2011 4:46:05 AM - System Checkpoint
RP710: 3/13/2011 2:16:28 PM - System Checkpoint
RP711: 3/14/2011 2:42:20 PM - System Checkpoint
RP712: 3/15/2011 3:42:22 PM - System Checkpoint
RP713: 3/16/2011 4:42:22 PM - System Checkpoint
RP714: 3/17/2011 5:42:22 PM - System Checkpoint
RP715: 3/18/2011 6:42:22 PM - System Checkpoint
RP716: 3/19/2011 6:56:52 PM - System Checkpoint
RP717: 3/20/2011 7:42:23 PM - System Checkpoint
RP718: 3/21/2011 10:13:20 PM - System Checkpoint
RP719: 3/22/2011 10:42:22 PM - System Checkpoint
RP720: 3/23/2011 11:42:22 PM - System Checkpoint
RP721: 3/24/2011 3:00:14 AM - Software Distribution Service 3.0
RP722: 3/25/2011 3:42:22 AM - System Checkpoint
RP723: 3/26/2011 4:42:21 AM - System Checkpoint
RP724: 3/27/2011 4:45:49 AM - System Checkpoint
RP725: 3/28/2011 5:45:48 AM - System Checkpoint
RP726: 3/29/2011 6:45:49 AM - System Checkpoint
RP727: 3/30/2011 7:45:46 AM - System Checkpoint
RP728: 3/31/2011 8:58:50 AM - System Checkpoint
RP729: 4/1/2011 9:45:47 AM - System Checkpoint
RP730: 4/2/2011 9:58:51 AM - System Checkpoint
RP731: 4/3/2011 11:29:22 AM - System Checkpoint
RP732: 4/4/2011 11:57:16 AM - System Checkpoint
RP733: 4/5/2011 12:57:18 PM - System Checkpoint
RP734: 4/6/2011 1:57:18 PM - System Checkpoint
RP735: 4/7/2011 2:57:18 PM - System Checkpoint
RP736: 4/8/2011 3:57:18 PM - System Checkpoint
RP737: 4/9/2011 4:57:16 PM - System Checkpoint
RP738: 4/10/2011 7:59:30 PM - System Checkpoint
RP739: 4/11/2011 10:14:55 PM - System Checkpoint
RP740: 4/12/2011 10:57:18 PM - System Checkpoint
RP741: 4/13/2011 11:57:16 PM - System Checkpoint
RP742: 4/15/2011 12:57:17 AM - System Checkpoint
RP743: 4/16/2011 2:22:20 AM - System Checkpoint
RP744: 4/16/2011 3:00:15 AM - Software Distribution Service 3.0
RP745: 4/17/2011 3:30:48 AM - System Checkpoint
RP746: 4/18/2011 3:35:21 AM - System Checkpoint
RP747: 4/19/2011 4:35:20 AM - System Checkpoint
RP748: 4/20/2011 5:35:20 AM - System Checkpoint
.
==== Installed Programs ======================
.
1Click DVD Copy 5.8.4.0
AAC Decoder
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.0
Adobe Shockwave Player 11.5
Ask Toolbar
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
Bicycle Card Games
Broadcom Management Programs
Browser Address Error Redirector
Conexant HDA D330 MDC V.92 Modem
Dell Automated PC TuneUp
Dell Support Center
Dell Wireless WLAN Card
Digital Line Detect
DirectVobSub (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DVD Shrink 3.2
DVDFab 6.2.1.8 (31/12/2009)
DVDFab 8.0.8.5 (19/03/2011)
eBay Icon
FormatFactory 2.20
Google Toolbar for Internet Explorer
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
ISI ResearchSoft - Export Helper
Java Auto Updater
Java(TM) 6 Update 21
jZip
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Modem Diagnostic Tool
Motorola Driver Installation 3.7.0
Move Media Player
Mozilla Firefox (3.6.16)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nero 8 Essentials
neroxml
Netflix Movie Viewer
NetWaiting
Octoshape add-in for Adobe Flash Player
PeerBlock 1.0.0 (r181)
QuickSet
Revo Uninstaller 1.89
Rio Internet Update
Rio Music Manager
Rosetta Stone Ltd Services
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
SearchAssist
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SpyNoMore 2.67
SpywareGuard v2.2
StreamPlug Player 2.3.0
Sun Download Manager 2.0 (web)
Symantec AntiVirus
TBS WMP Plug-in
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
VC80CRTRedist - 8.0.50727.762
VLC media player 1.0.1
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
Xilisoft AVI to DVD Converter
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/24/2011 9:40:41 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 001644783AA4 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/24/2011 12:54:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
4/24/2011 12:13:41 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McShield service, but this action failed with the following error: An instance of the service is already running.
4/23/2011 9:17:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/23/2011 9:17:37 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/23/2011 8:31:33 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/23/2011 6:50:14 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/23/2011 12:03:44 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.
4/23/2011 12:03:19 AM, error: SRService [104] - The System Restore initialization process failed.
4/23/2011 10:22:26 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the McAfee SiteAdvisor Service service.
4/23/2011 1:18:25 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file volsnap.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
4/22/2011 5:55:26 PM, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
4/22/2011 11:57:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
4/21/2011 8:07:35 PM, error: Dhcp [1002] - The IP address lease 192.168.1.17 for the Network Card with network address 001644783AA4 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
4/21/2011 7:48:43 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/21/2011 7:47:13 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
.
==== End Of File ===========================
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm
Advertisement
Register to Remove

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 24th, 2011, 2:49 pm

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7



Upload File/Files for testing

Please go to jotti.org or Virustotal

Copy/paste this file and path into the white box at the top:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\env.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Next.

Security Check

  • Please download Security Check by screen317 from one of the links below:
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.



Logs/Information to Post in your Next Reply

  • Virustotal or jotti results.
  • checkup.txt.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 24th, 2011, 5:42 pm

hi cypher:
i forgot to add in the previous post that all of my programs "disappeared" as did my entire desktop & quick launch taskbar.
thanks...b2thej1


virustotal...

http://www.virustotal.com/file-scan/rea ... 1303680772

checkup text notepad...

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Symantec AntiVirus
McAfee SecurityCenter
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 8.2.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 25th, 2011, 5:18 am

Hi b2thej1.

multiple Anti Virus programs

  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
    Symantec AntiVirus
    McAfee SecurityCenter
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Please remove one of them.
While you are in Add/remove programs uninstall the below also.
Ask Toolbar

Next.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 25th, 2011, 9:56 pm

hello cypher:
i removed the symantec antivirus because the mcafee comes from my isp and i thought is would be most helpful...
i also removed the ask toolbar...then i ran the combofix after it did its magic my programs and my desktop returned...
prior to combofix when you went into the start menu and looked at all programs there was nothing there the same thing with my desktop nothing there and now its all back...it also seems faster to get into the internet (i may be imagining that i'm so
excited)...so heres the log from the combofix...

combofix log

ComboFix 11-04-25.02 - ABC STUDENT 04/25/2011 20:07:10.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1181 [GMT -5:00]
Running from: c:\documents and settings\ABC STUDENT\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ABC STUDENT\Application Data\Adobe\plugs
c:\documents and settings\ABC STUDENT\Application Data\Adobe\shed
c:\documents and settings\ABC STUDENT\Application Data\Desktopicon
c:\documents and settings\ABC STUDENT\Application Data\Desktopicon\eBay.ico
c:\documents and settings\ABC STUDENT\Application Data\Desktopicon\uninst.exe
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\enemies-names.txt
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\local.ini
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\lsrslt.ini
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\order.html
c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\scanbuffer.dat
c:\documents and settings\ABC STUDENT\Application Data\inst.exe
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\{44CFD17F-A308-4B13-B326-93402B0665F2}
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\{44CFD17F-A308-4B13-B326-93402B0665F2}\chrome.manifest
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\{44CFD17F-A308-4B13-B326-93402B0665F2}\chrome\content\_cfg.js
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\{44CFD17F-A308-4B13-B326-93402B0665F2}\chrome\content\overlay.xul
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\{44CFD17F-A308-4B13-B326-93402B0665F2}\install.rdf
c:\documents and settings\ABC STUDENT\Recent\ANTIGEN.sys
c:\documents and settings\ABC STUDENT\Recent\cb.dll
c:\documents and settings\ABC STUDENT\Recent\CLSV.drv
c:\documents and settings\ABC STUDENT\Recent\eb.tmp
c:\documents and settings\ABC STUDENT\Recent\PE.exe
c:\documents and settings\ABC STUDENT\Recent\ppal.dll
c:\documents and settings\ABC STUDENT\Recent\std.sys
c:\documents and settings\ABC STUDENT\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\documents and settings\All Users\Application Data\MRtPNAFMRSnT.exe
c:\documents and settings\All Users\Application Data\vlc-0.9.9-win32.exe
c:\documents and settings\LocalService\Local Settings\Application Data\lonerty.dll
c:\progra~1\DOSPOP~1\tbu43\doSPop.dll
c:\windows\Imgtask.exe
c:\windows\iviqicox.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\etc\hosts1
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-25 22:29 . 2011-04-25 22:30 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-04-25 02:51 . 2011-04-25 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-04-23 19:03 . 2011-04-23 19:03 -------- d-sh--w- c:\documents and settings\ABC STUDENT\IECompatCache
2011-04-23 05:48 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-23 05:48 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-23 05:48 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-23 05:48 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-23 05:48 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-23 05:48 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-23 05:48 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-23 05:48 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-23 05:48 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-23 05:48 . 2011-04-23 05:49 -------- d-----w- c:\program files\Common Files\Mcafee
2011-04-23 05:47 . 2011-04-23 23:17 -------- dc----w- c:\program files\McAfee
2011-04-23 00:15 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-23 00:15 . 2011-04-24 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-23 00:02 . 2011-04-23 00:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-20 23:50 . 2011-04-20 23:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 23:40 . 2011-04-25 22:48 0 -c-ha-w- c:\windows\Fpemita.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 01:19 . 2008-10-08 15:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-26 01:19 . 2008-01-30 21:07 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-25 22:29 . 2006-03-01 21:37 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-25 22:11 . 2008-10-08 15:41 17408 ---ha-w- c:\windows\system32\rpcnetp.dll
2011-03-07 05:33 . 2004-08-10 19:02 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:51 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:51 1857920 ---ha-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 18:51 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:51 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:51 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 18:51 385024 ---ha-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 18:51 455936 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:51 357888 ---ha-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 22:10 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
2011-02-15 20:33 . 2010-03-17 20:54 34816 ---ha-w- c:\windows\system32\identprv.dll
2011-02-15 12:56 . 2004-08-10 18:50 290432 ---ha-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 19:01 229888 ---ha-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 18:51 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 18:51 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 18:51 978944 ---ha-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:51 974848 ---ha-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-10 19:01 2067456 ---ha-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 19:01 677888 ---ha-w- c:\windows\system32\mstsc.exe
2009-03-27 21:46 . 2009-03-27 21:55 2869536 -c-ha-w- c:\program files\spywareblastersetup41.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ---ha-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ---ha-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c-ha-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c-ha-w- c:\program files\opera\program\plugins\ssldivx.dll
2010-10-14 03:28 . 2011-04-23 05:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\ABC STUDENT\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-14 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [1/14/2008 3:53 PM 3456]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2011 12:48 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/23/2011 12:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/22/2011 7:15 PM 141792]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2011 12:48 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2011 12:48 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2011 12:48 AM 84264]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/12/2009 9:11 PM 14424]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ---ha-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.jzip.com/
FF - ProfilePath - c:\documents and settings\ABC STUDENT\Application Data\Mozilla\Firefox\Profiles\uq02s0i7.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ABC STUDENT\Application Data\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\sqd.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-arg70techsdk.exe - c:\documents and settings\ABC STUDENT\Application Data\F82F01B0682A4E0CA7F43F487E30B41A\arg70techsdk.exe
HKLM-Run-dscactivate - %ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe
HKLM-Run-Jtajozili - c:\windows\iviqicox.dll
HKU-Default-Run-MRtPNAFMRSnT - c:\documents and settings\All Users\Application Data\MRtPNAFMRSnT.exe
Notify-itlntfy - itlnfw32.dll
Notify-NavLogon - (no file)
AddRemove-DivX Plus DirectShow Filters - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXDSFiltersUninstall.exe
AddRemove-eBay Icon - c:\documents and settings\ABC STUDENT\Application Data\Desktopicon\uninst.exe
AddRemove-StreamPlug - c:\documents and settings\ABC STUDENT\Desktop\Streamplug\Uninstall_StreamPlug_Player.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXPlayerUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXConverterUninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - c:\documents and settings\ABC STUDENT\Desktop\DivX\DivXWebPlayerUninstall.exe
AddRemove-StreamPlug Player 2.3.0 - c:\documents and settings\ABC STUDENT\Desktop\Streamplug\Uninstall_StreamPlug_Player.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 20:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541660J9SA00 rev.SBBOC7KP -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A64633B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\RioMSC.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-04-25 20:34:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-26 01:34
.
Pre-Run: 25,699,704,832 bytes free
Post-Run: 25,880,973,312 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 949A30421DDE77B668687234ABEABDF9
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 26th, 2011, 5:50 am

Hi b2thej1.
Are your searches still redirected? let me know in your next reply.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    File::
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\env.exe
    
    Folder::
    c:\\Program Files\\FrostWire
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=-
    
    DDS:: 
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\ABC STUDENT\Application Data\Mozilla\Firefox\Profiles\uq02s0i7.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?clien ... n_dtid=&q=
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Next.

I see you already have Malwarebytes Anti-Malware installed:

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • To find the log go to Start > Computer > C:
  • Post the contents of that log in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT


Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Malwarebytes log.
  • TDSSKiller log.
  • Please give me an update on how your computer is performing, are your searches still redirected?
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 26th, 2011, 8:36 pm

hi cypher: my searches are still redirecting but the pc is faster...i was unable to do run the tdsskiller...an error message
kept coming up "tdss rootkit removing tool has encountered a problem and needs to close.sorry for the inconvenience".
find below the new combofix log & the mbam log.

thanks a bunch,
b2thej1




ComboFix 11-04-26.02 - ABC STUDENT 04/26/2011 18:30:45.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1318 [GMT -5:00]
Running from: c:\documents and settings\ABC STUDENT\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\ABC STUDENT\Desktop\cfscript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
FILE ::
"c:\documents and settings\NetworkService\Local Settings\Application Data\env.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\\Program Files\\FrostWire
c:\\Program Files\\FrostWire\aopalliance.jar
c:\\Program Files\\FrostWire\clink.jar
c:\\Program Files\\FrostWire\commons-codec-1.3.jar
c:\\Program Files\\FrostWire\commons-logging.jar
c:\\Program Files\\FrostWire\daap.jar
c:\\Program Files\\FrostWire\forms.jar
c:\\Program Files\\FrostWire\foxtrot.jar
c:\\Program Files\\FrostWire\FrostWire.exe
c:\\Program Files\\FrostWire\FrostWire.jar
c:\\Program Files\\FrostWire\gettext-commons.jar
c:\\Program Files\\FrostWire\guice-1.0.jar
c:\\Program Files\\FrostWire\httpclient-4.0.jar
c:\\Program Files\\FrostWire\httpcore-4.0.1.jar
c:\\Program Files\\FrostWire\httpcore-nio-4.0.1.jar
c:\\Program Files\\FrostWire\icu4j.jar
c:\\Program Files\\FrostWire\jaudiotagger.jar
c:\\Program Files\\FrostWire\jcip-annotations.jar
c:\\Program Files\\FrostWire\jcraft.jar
c:\\Program Files\\FrostWire\jdic.dll
c:\\Program Files\\FrostWire\jdic.jar
c:\\Program Files\\FrostWire\jdic_stub.jar
c:\\Program Files\\FrostWire\jflac.jar
c:\\Program Files\\FrostWire\jl.jar
c:\\Program Files\\FrostWire\jmdns.jar
c:\\Program Files\\FrostWire\jogg.jar
c:\\Program Files\\FrostWire\jorbis.jar
c:\\Program Files\\FrostWire\jython.jar
c:\\Program Files\\FrostWire\log4j.jar
c:\\Program Files\\FrostWire\looks.jar
c:\\Program Files\\FrostWire\lw-azureus.jar
c:\\Program Files\\FrostWire\lw-collection.jar
c:\\Program Files\\FrostWire\lw-common.jar
c:\\Program Files\\FrostWire\lw-http.jar
c:\\Program Files\\FrostWire\lw-io.jar
c:\\Program Files\\FrostWire\lw-mojito.jar
c:\\Program Files\\FrostWire\lw-net.jar
c:\\Program Files\\FrostWire\lw-nio.jar
c:\\Program Files\\FrostWire\lw-resources.jar
c:\\Program Files\\FrostWire\lw-rudp.jar
c:\\Program Files\\FrostWire\lw-security.jar
c:\\Program Files\\FrostWire\lw-setting.jar
c:\\Program Files\\FrostWire\lw-statistic.jar
c:\\Program Files\\FrostWire\messages.jar
c:\\Program Files\\FrostWire\mp3spi.jar
c:\\Program Files\\FrostWire\onion-common.jar
c:\\Program Files\\FrostWire\onion-fec.jar
c:\\Program Files\\FrostWire\ProgressTabs.jar
c:\\Program Files\\FrostWire\splash.jar
c:\\Program Files\\FrostWire\SystemUtilities.dll
c:\\Program Files\\FrostWire\themes.jar
c:\\Program Files\\FrostWire\tray.dll
c:\\Program Files\\FrostWire\tritonus.jar
c:\\Program Files\\FrostWire\vorbisspi.jar
c:\documents and settings\All Users\Application Data\lnTUynXQPRYn.exe
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome.manifest
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\install.rdf
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome.manifest
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\install.rdf
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome.manifest
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\install.rdf
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome.manifest
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\install.rdf
c:\windows\system32\drivers\etc\hosts1
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-26 07:13 . 2011-04-26 07:13 -------- dc----w- c:\program files\QuickTime
2011-04-25 22:29 . 2011-04-25 22:30 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-04-25 02:51 . 2011-04-25 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-04-23 19:03 . 2011-04-23 19:03 -------- d-sh--w- c:\documents and settings\ABC STUDENT\IECompatCache
2011-04-23 05:48 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-23 05:48 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-23 05:48 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-23 05:48 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-23 05:48 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-23 05:48 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-23 05:48 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-23 05:48 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-23 05:48 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-23 05:48 . 2011-04-23 05:49 -------- d-----w- c:\program files\Common Files\Mcafee
2011-04-23 05:47 . 2011-04-23 23:17 -------- dc----w- c:\program files\McAfee
2011-04-23 00:15 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-23 00:15 . 2011-04-24 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-20 23:50 . 2011-04-20 23:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 23:40 . 2011-04-25 22:48 0 -c--a-w- c:\windows\Fpemita.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 22:42 . 2008-10-08 15:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-26 22:42 . 2008-01-30 21:07 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-25 22:29 . 2006-03-01 21:37 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-25 22:11 . 2008-10-08 15:41 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-07 05:33 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:51 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 18:51 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:51 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 22:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 20:33 . 2010-03-17 20:54 34816 ----a-w- c:\windows\system32\identprv.dll
2011-02-15 12:56 . 2004-08-10 18:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 19:01 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 18:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 18:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 18:51 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-10 19:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 19:01 677888 ----a-w- c:\windows\system32\mstsc.exe
2009-03-27 21:46 . 2009-03-27 21:55 2869536 -c--a-w- c:\program files\spywareblastersetup41.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll
2010-10-14 03:28 . 2011-04-23 05:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\ABC STUDENT\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-14 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [1/14/2008 3:53 PM 3456]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2011 12:48 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/23/2011 12:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/22/2011 7:15 PM 141792]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2011 12:48 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2011 12:48 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2011 12:48 AM 84264]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/12/2009 9:11 PM 14424]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.jzip.com
FF - ProfilePath - c:\documents and settings\ABC STUDENT\Application Data\Mozilla\Firefox\Profiles\uq02s0i7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ABC STUDENT\Application Data\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-lnTUynXQPRYn - c:\documents and settings\All Users\Application Data\lnTUynXQPRYn.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-26 18:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541660J9SA00 rev.SBBOC7KP -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5EE33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-26 18:45:27
ComboFix-quarantined-files.txt 2011-04-26 23:45
ComboFix2.txt 2011-04-26 01:34
.
Pre-Run: 25,762,541,568 bytes free
Post-Run: 25,928,372,224 bytes free
.
- - End Of File - - 0084286FD2A15CD643399DEE751D26EB


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 6:57:58 PM
mbam-log-2011-04-26 (18-57-58).txt

Scan type: Quick scan
Objects scanned: 117714
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 6:57:58 PM
mbam-log-2011-04-26 (18-57-58).txt

Scan type: Quick scan
Objects scanned: 117714
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 27th, 2011, 6:11 am

Hi b2thej1.
It looks like you may have one of the newer rootkit infections.

Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 27th, 2011, 9:42 pm

hi cypher:
my searches particularly google are still redirecting...below is the gmer log

have a good day & thanks, b2thej1


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-27 20:18:45
Windows 5.1.2600 Service Pack 3
Running: gukn2np9.exe; Driver: C:\DOCUME~1\ABCSTU~1\LOCALS~1\Temp\pwtyapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9ED50E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED50F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED5120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED5176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED50CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED50A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED50B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED510A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED514C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9ED5136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED51A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED518C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED5160]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9ED5164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B9ED517A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B9ED5190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6114 5 Bytes JMP B9ED5150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C13F8 5 Bytes JMP B9ED50A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1684 5 Bytes JMP B9ED50BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B9ED51A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B9ED513A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B9ED510E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B9ED50E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B9ED50F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B9ED5124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B9ED50D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FDB
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00ED000C
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F9E
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0051
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D0040
.text C:\WINDOWS\system32\svchost.exe[184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\system32\svchost.exe[184] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0111000A
.text C:\WINDOWS\system32\svchost.exe[184] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0042005A
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00420049
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0042001D
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00420000
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0042002E
.text C:\WINDOWS\system32\svchost.exe[184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00420FE3
.text C:\WINDOWS\system32\svchost.exe[516] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F41
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F5C
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F6D
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F8A
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0FC0
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0075
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0064
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0F08
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA00A1
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00B2
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FA5
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0047
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\system32\svchost.exe[516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0090
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FCA
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90076
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FC8
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80049
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80027
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80038
.text C:\WINDOWS\system32\svchost.exe[516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\svchost.exe[516] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[516] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0011
.text C:\WINDOWS\system32\svchost.exe[516] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0022
.text C:\WINDOWS\system32\svchost.exe[516] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 006E0FC7
.text C:\WINDOWS\system32\svchost.exe[516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0FE5
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00970FDE
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F52
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F6F
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F80
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0093
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F41
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00B8
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F1F
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00D3
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F30
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F61
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F7C
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F97
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\services.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0058
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0047
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0022
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FD7
.text C:\WINDOWS\system32\services.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00980FC3
.text C:\WINDOWS\system32\services.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\lsass.exe[1368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[1368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\lsass.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01040000
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01040082
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01040F83
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01040067
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01040FA8
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01040040
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01040F41
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01040F5C
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01040F26
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010400BF
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01040F15
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01040FB9
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01040093
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01040FD4
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0104002F
.text C:\WINDOWS\system32\lsass.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010400A4
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01030F9E
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030025
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01030FB9
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030FD4
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030014
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030FE5
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030F68
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\WINDOWS\system32\lsass.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01030F8D
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020049
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FBE
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0102002E
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0102000C
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01020FCF
.text C:\WINDOWS\system32\lsass.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0102001D
.text C:\WINDOWS\system32\lsass.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[1368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[1368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[1368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\lsass.exe[1368] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02510FE5
.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02510011
.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02510000
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0256005E
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560F5F
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560F70
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560F8D
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0256002F
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02560083
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F31
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025600A8
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02560F0F
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600B9
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560FA8
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F4E
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02560FC3
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02560F20
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02550FAF
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02550051
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02550FCA
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02550FE5
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02550F94
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02550036
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02550025
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02540070
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 02540055
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02540FE5
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02540000
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0254003A
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0254001D
.text C:\WINDOWS\system32\svchost.exe[1536] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0252000A
.text C:\WINDOWS\system32\svchost.exe[1536] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0252001B
.text C:\WINDOWS\system32\svchost.exe[1536] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02520FE5
.text C:\WINDOWS\system32\svchost.exe[1536] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02520036
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0253000A
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F77
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0F92
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0FAF
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0FC0
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F4B
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F5C
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA00D0
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA00B5
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA0F1C
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0058
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA007D
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA00A4
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10051
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D10040
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D1002F
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00FAD
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FC8
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00038
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FD9
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0001D
.text C:\WINDOWS\system32\svchost.exe[1668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1668] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\svchost.exe[1668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D002C
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A3008E
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A3007D
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A30FA3
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A3006C
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30F68
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A300B0
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A30F39
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A300D2
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A30F1E
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A3005B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A3009F
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A300C1
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F9E
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20014
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A20065
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A2004A
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A2002F
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10FA6
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10027
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FD2
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FB7
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FE3
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0FC3
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 006E0FB2
.text C:\WINDOWS\system32\svchost.exe[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E8007B
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80060
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F86
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F97
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F4E
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F6B
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800E7
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E800CC
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80F29
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FA8
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E8008C
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FDB
.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E800B1
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70F4A
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E70F6F
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [07, 89]
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70F94
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E6003F
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E6002E
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E6001D
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FC8
.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\svchost.exe[2044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0139000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2228] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D000A
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D0FA3
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D0FBE
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D0FDB
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D0098
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0062
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D0F6B
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D00B3
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D00CE
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D0F3F
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011D00F3
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011D007D
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011D001B
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011D0F88
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011D0051
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011D0036
.text C:\WINDOWS\Explorer.EXE[2384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011D0F50
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011C0FC3
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011C0F72
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011C000A
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011C0FD4
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011C002F
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011C0FE5
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 011C0F8D
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3C, 89] {CMP AL, 0x89}
.text C:\WINDOWS\Explorer.EXE[2384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011C0FA8
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FB0
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FC1
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FD2
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30031
.text C:\WINDOWS\Explorer.EXE[2384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3000C
.text C:\WINDOWS\Explorer.EXE[2384] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\Explorer.EXE[2384] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\Explorer.EXE[2384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\Explorer.EXE[2384] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E00F9E
.text C:\WINDOWS\Explorer.EXE[2384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E1000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3092] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402024 C:\Program Files\Mozilla Firefox\xul.dll

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\55EEFB3E2E930EB49B6698EF8583221C\Features@CORE_APPLICATION_FILES ????????2.0.07282???????????????????? ?????????????????????g??"????????? ???????????????????? ???????q????????????????????"???TK??????????j???????????f??????????y??? ?????????????????????g??????&?j?????????????s?????C:\WINDOWS\Installer\18597.msi???????????????????????????????????t??20080114????????????????????????????????????????????????????????? ??????????????e??????????????????e?????????????????????????????????????????n??? j?????????????????MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}?????? ??????????????????????????????????????????????n??Dell????????????????????????????????????????20080114??????j??????????????g??MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}????????????????????????????????????????? ??????????????o??????????????????????????????????????????????????????????????????????????????????x?????????????????t????(????????????e????Dell Support Center?????Main????? ???????}?????????????i??????&?j???&???????????????????????????????????????????2.0.07282???Dell????????????????????????? ?????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\55EEFB3E2E930EB49B6698EF8583221C\Features@EN_CONTENT_FILES CfQhnSgMm=O`CtVVLTvEij,ATQ,(R?C?vsAJlB@-I~{buSwjE@XK@.KxYh=02C$b$Y5L9=.h)aWO)$'8lpo4?!CAi@PVBeVYE$jGVvA`.o+*d@Nb?W-g$9]f==uoh-&)TAyL7vS5u+Lc,LO`iov){?W(b@g.%.dNgG51y$*e3A.N!qD1z.hKrU_Fpi,{(=R3v.U*aiGZdVLSX4um`89S@^SH`h'V$6n,Eg}%l?],28-gDJ=K1m'mJ}l{2@CaxU5-FdgrV6]zWV`!{=['6EN*DKU`3o3Mh9fKc@ut3{vzpbmPQ4JAeVK6C??@N~Qnh$8dR{Z-dWR9n9~bmLmm9CoN-?=7(jtds8_H+Gll(HJBVuelZEH*`=5v0[XTC)h,`cE5fL_49A[-_GlqDE'X{jJ.M-pY@Amap')PHR@FKZ5_pU*3u=WY0jb7q,UCXKt}YD9+{@U)n5TsTS{Q3qR2?&3n{94Oh0(%Hje[f^c1kh?Kb=J!~IUug]J1%]^~HPdfM?H.Vs15l)L$5nv4^Te5Z9,q6JKsR'`Rd&NV=i*Nc=3ME1VE.'^W)zKV_?SX+9qF9^ZhrCHy78@BH,,'i8-jL)+!Sv2P16Ks987`i?ftLIgo8A{W6fR?NGfC$=a._M6%xxD63)+x5K40y976]nv!bYEtY}Q]dQ]=p?cuqwIET2=`PR&Sf=SRcA+y4V8ONV{PJ*MuDRblc9Id-C'lII&o,0i@4~?Wb=(VakPOkmy,-Y%Vj&EWH=pa~Y.KzQNa^hN2,q{o==3r.rAuO!a&]KR'iP+n+?hhT6`Nzxh-+6C,wqV-?A.e{}J+'nL4QTbLc+IgS?F+}cZ$^^9DU!pRnEYk}@r,Pi[xHKzX'nuc92aZ!9O(*3l9q%j)Nrzs1&$HO@nk7KqF&{Fu[K_DMwxYD@r0y_uVHNJDB)zDx=G,F=nQx.`&O@q-tM&`s^%}Y9z8`!(16v+Sr^QL8b0K4=+JW[9V=]5Y2'555%VyR=`EJ}b6Q47e&+&._2)X$9pZ30Asd9YTu(J
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\55EEFB3E2E930EB49B6698EF8583221C\Features@Main
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\55EEFB3E2E930EB49B6698EF8583221C\Features@COMMON_CONTENT_FILES ?????????????????????????????<??????????????????????????????????????????? ?????????????????????g?????????????????s??? ??????????????????????? ???????????????? ????w?????? ????? ?????????????????????B????????????e????????????????????????????????????????????????2*?PQps*k?4L4G,mH5._io[o2^op`8}LC?OqV`v$9J@Y)VoXa=tKPG4}@UUM~H3bdQu=T@&=UPvRe)=wu3!6y647e8'CIRGe`3WiFb%nA{fJa?oD2LkNmy@'y})ym(??K9vp{S$zQq[G$AuL??cqL9SZ5.wMB-h!^*1G*+aKf=lwLwQt??aqxB-faLxi4?q&{N*,s98^)C@DqF(KH=&?6@S]]&W1uE6@(7kL3=at-$_L=nl9rls.)@ykP@n_Kd4L)kOvRb_ar%t2x9RhoEpmvy6KKTs8Qoo-D?'1`%71}+4{furxg~c?'@a}h~myk$!'B^D-hmtJI=Boftvp9-iZzomXk-f4q?tD=07'RtOmc=KD$T=PK?,hzQh@Wi{b`rBaKr'(.9QzU&$UOX9.Kja]Q__fX81070)DlUa`.Suf-dZ-MAZZq~j5_VY]l0No9nVV1=-h^',kamiU?)uN,D*5j@GOJncnW}P7NB!g`1L`8=_e2ks0?4j.RrBau@&G`@.T&]pv5{dS*f7R`HVff8Wd{iNh'bGZSyzWpvIsG=%K}q]Y9~`_79D~`okmg8F9%uPR'slU{tiyZk=C^@'!hDq5'4VyFOL8goF.Z=!V$bbot'X%?hbTMd@2U?&=GU2Kt$'&UIIGg3Xn$@bEkZS&65(&HCFxAD9&O?VR3O]@y0jQQuKX)]s..9hh((aVpNEzh?iy)j_+d8,`Y,1=4S?{C`VjeWUv2=gJOWgGt4A5Il.~BWwa[=,Vkw_.Y)s724-

---- EOF - GMER 1.0.15 ----
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 28th, 2011, 5:26 am

Hi b2thej1.

Please download aswMBR and save it to your Desktop.

  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK > Exit.
  • Note: Do not attempt to fix anything at this stage!
  • Two files will be created, aswMBR.txt & a file named MBR.dat.
  • MBR.dat is a backup of the MBR(master boot record), do not delete it..
  • I strongly suggest you keep a copy of this backup stored on an external device.
  • Copy & Paste the contents of aswMBR.txt into your next reply.

Next.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind 
    Volsnap*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Logs/Information to Post in your Next Reply

  • aswMBR.txt.
  • SystemLook.txt
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 28th, 2011, 8:02 pm

hi cypher:
my searches seem to be a whole lot better..i only did a few but i didn't see any redirects...here are the logs...


aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 18:35:15
-----------------------------
18:35:15.375 OS Version: Windows 5.1.2600 Service Pack 3
18:35:15.375 Number of processors: 1 586 0x7C02
18:35:15.375 ComputerName: DFC6ZGF1 UserName:
18:35:17.281 Initialize success
18:37:00.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
18:37:00.656 Disk 0 Vendor: Hitachi_HTS541660J9SA00 SBBOC7KP Size: 57231MB BusType: 3
18:37:00.656 Device \Driver\atapi -> DriverStartIo 8a5ef33b
18:37:02.687 Disk 0 MBR read successfully
18:37:02.687 Disk 0 MBR scan
18:37:02.687 Disk 0 TDL4@MBR code has been found
18:37:02.703 Disk 0 MBR hidden
18:37:02.703 Disk 0 MBR [TDL4] **ROOTKIT**
18:37:02.718 Disk 0 trace - called modules:
18:37:02.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5ef4f0]<<
18:37:02.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a63cab8]
18:37:02.734 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a6607f8]
18:37:02.750 \Driver\atapi[0x8a664e40] -> IRP_MJ_CREATE -> 0x8a5ef4f0
18:37:02.765 Scan finished successfully
18:38:04.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ABC STUDENT\Desktop\MBR.dat"
18:38:04.328 The log file has been saved successfully to "C:\Documents and Settings\ABC STUDENT\Desktop\aswMBR.txt"


SystemLook 04.09.10 by jpshortstuff
Log created at 18:43 on 28/04/2011 by ABC STUDENT
Administrator - Elevation successful

========== filefind ==========

Searching for "Volsnap*"
C:\i386\volsnap.inf --a--c- 1095 bytes [16:12 09/10/2008] [11:00 04/08/2004] 1C43F4D998567C9D2463E18669F33A3C
C:\i386\volsnap.sys --a--c- 52352 bytes [16:16 09/10/2008] [11:00 04/08/2004] EE4660083DEBA849FF6C485D944B379B
C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys -----c- 52352 bytes [02:02 31/03/2009] [11:00 04/08/2004] EE4660083DEBA849FF6C485D944B379B
C:\WINDOWS\inf\volsnap.inf --a--c- 1095 bytes [18:51 10/08/2004] [11:00 04/08/2004] 1C43F4D998567C9D2463E18669F33A3C
C:\WINDOWS\inf\volsnap.PNF --a--c- 4964 bytes [21:02 14/01/2008] [21:02 14/01/2008] 34AF55131CDF07303C3275CD493442FF
C:\WINDOWS\ServicePackFiles\i386\volsnap.sys -----c- 52352 bytes [18:41 13/04/2008] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\dllcache\volsnap.sys --a---- 52352 bytes [18:51 10/08/2004] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\drivers\volsnap.sys --a---- 52352 bytes [18:51 10/08/2004] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-

thanks, b2thej1

ps. i saved the backup on a flash drive as you suggested.
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 29th, 2011, 5:16 am

Hi b2thej1.
You log indicates that your computer has an infected MBR ( Master Boot Record ).
Please do the following then give me another update on how your computer is performing.

Re-run aswMBR

  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while the scan will report "Scan finished successfully"
  • You should see the Fix MBR button become active.
  • Click to fix the infection & and wait till the scanner reports "Infection fixed successfully"
  • Click Save log & save the log to your desktop
  • Click Exit then Reboot your computer.
  • After reboot, copy & Paste the contents of aswMBR.txt into your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 30th, 2011, 12:11 am

hi cypher:
the searches are definitely redirecting really bad today, also the xp security virus thing is trying to rear its ugly head
again...here's the log you wanted...

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-29 20:08:32
-----------------------------
20:08:32.343 OS Version: Windows 5.1.2600 Service Pack 3
20:08:32.343 Number of processors: 1 586 0x7C02
20:08:32.343 ComputerName: DFC6ZGF1 UserName:
20:08:42.171 Initialize success
20:09:40.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
20:09:40.734 Disk 0 Vendor: Hitachi_HTS541660J9SA00 SBBOC7KP Size: 57231MB BusType: 3
20:09:40.750 Device \Driver\atapi -> DriverStartIo 8a5ee33b
20:09:42.750 Disk 0 MBR read successfully
20:09:42.765 Disk 0 MBR scan
20:09:42.765 Disk 0 TDL4@MBR code has been found
20:09:42.781 Disk 0 MBR hidden
20:09:42.781 Disk 0 MBR [TDL4] **ROOTKIT**
20:09:42.796 Disk 0 trace - called modules:
20:09:42.796 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5ee4f0]<<
20:09:42.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a661ab8]
20:09:42.828 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a665348]
20:09:42.843 \Driver\atapi[0x8a63ee40] -> IRP_MJ_CREATE -> 0x8a5ee4f0
20:09:42.859 Scan finished successfully
20:09:46.750 Disk 0 fixing MBR
20:09:56.765 Disk 0 MBR restored successfully
20:09:56.781 Infection fixed successfully - please reboot ASAP
20:10:13.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ABC STUDENT\Desktop\MBR.dat"
20:10:13.750 The log file has been saved successfully to "C:\Documents and Settings\ABC STUDENT\Desktop\aswMBR2.txt"
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm

Re: google redirect/xp security virus/browser hijack

Unread postby Cypher » April 30th, 2011, 5:51 am

Hi b2thej1.
ComboFix 11-04-26.02 - ABC STUDENT 04/26/2011 18:30:45.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1318 [GMT -5:00]
Running from: c:\documents and settings\ABC STUDENT\My Documents\Downloads\ComboFix.exe

First please delete the copy of ComboFix.exe in your downloads folder, i need you to download a fresh copy but this time save it to your Desktop.
Once you have deleted the old copy download the fresh copy from Here
Now please disable any Antivirus or Firewall you have active then run ComboFix again, post the resulting log in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: google redirect/xp security virus/browser hijack

Unread postby b2thej1 » April 30th, 2011, 1:24 pm

hi cypher:
i downloaded the new combofix here's the new log

ComboFix 11-04-29.04 - ABC STUDENT 04/30/2011 11:53:59.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1372 [GMT -5:00]
Running from: c:\documents and settings\ABC STUDENT\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\ABC STUDENT\Local Settings\Application Data\nnq.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-30 01:21 . 2011-04-30 01:21 -------- d-----w- c:\windows\system32\LogFiles
2011-04-29 15:51 . 2011-04-29 15:51 76800 --sha-r- c:\windows\system32\dmdskres2.dll
2011-04-26 23:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-26 07:13 . 2011-04-26 07:13 -------- dc----w- c:\program files\QuickTime
2011-04-25 22:29 . 2011-04-25 22:30 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-04-25 02:51 . 2011-04-25 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-04-23 19:03 . 2011-04-23 19:03 -------- d-sh--w- c:\documents and settings\ABC STUDENT\IECompatCache
2011-04-23 05:48 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-23 05:48 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-23 05:48 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-23 05:48 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-23 05:48 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-23 05:48 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-23 05:48 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-23 05:48 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-23 05:48 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-23 05:48 . 2011-04-23 05:49 -------- d-----w- c:\program files\Common Files\Mcafee
2011-04-23 05:47 . 2011-04-30 00:59 -------- dc----w- c:\program files\McAfee
2011-04-23 00:15 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-23 00:15 . 2011-04-24 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-20 23:50 . 2011-04-20 23:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 23:40 . 2011-04-25 22:48 0 -c--a-w- c:\windows\Fpemita.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 16:33 . 2008-10-08 15:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-30 16:33 . 2008-01-30 21:07 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-25 22:29 . 2006-03-01 21:37 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-25 22:11 . 2008-10-08 15:41 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-07 05:33 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:51 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 18:51 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:51 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 22:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 20:33 . 2010-03-17 20:54 34816 ----a-w- c:\windows\system32\identprv.dll
2011-02-15 12:56 . 2004-08-10 18:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 19:01 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 18:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 18:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 18:51 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-10 19:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2009-03-27 21:46 . 2009-03-27 21:55 2869536 -c--a-w- c:\program files\spywareblastersetup41.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll
2010-10-14 03:28 . 2011-04-23 05:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-26_23.41.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-30 16:33 . 2011-04-30 16:33 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
- 2009-03-08 02:46 . 2009-12-03 22:14 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-03-08 02:46 . 2010-12-20 23:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2008-01-30 20:28 . 2011-04-30 05:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-30 20:28 . 2011-04-26 04:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-30 20:28 . 2011-04-26 04:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-30 20:28 . 2011-04-30 05:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-04-27 00:49 . 2011-04-30 05:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-04-26 04:45 . 2011-04-26 04:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\ABC STUDENT\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-14 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [1/14/2008 3:53 PM 3456]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2011 12:48 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/23/2011 12:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/22/2011 7:15 PM 141792]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2011 12:48 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2011 12:48 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2011 12:48 AM 84264]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/12/2009 9:11 PM 14424]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.jzip.com
FF - ProfilePath - c:\documents and settings\ABC STUDENT\Application Data\Mozilla\Firefox\Profiles\uq02s0i7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ABC STUDENT\Application Data\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\sqd.exe" -a "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 12:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541660J9SA00 rev.SBBOC7KP -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5EE33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-30 12:08:25
ComboFix-quarantined-files.txt 2011-04-30 17:08
ComboFix2.txt 2011-04-26 23:45
ComboFix3.txt 2011-04-26 01:34
.
Pre-Run: 25,357,971,456 bytes free
Post-Run: 25,978,806,272 bytes free
.
- - End Of File - - 9024C9498A4080F751E4D9A19B67DF45
b2thej1
Regular Member
 
Posts: 71
Joined: March 8th, 2009, 11:19 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware