Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

virus causing browser tabs to pop-up and links to redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » November 28th, 2009, 10:25 pm

Hi, both my IE and Firefox are acting up, redirecting links from searches. My McAfee viruscan found 2 viruses (Exploit trojan), but the trouble has not ended. Your help would be greatly appreciated. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:26 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX580 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\WINDOWS\TEMP\E_S40A.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [hahujalaji] Rundll32.exe "C:\WINDOWS\system32\firovopa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hahujalaji] Rundll32.exe "C:\WINDOWS\system32\firovopa.dll",s (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6053645890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68794E56-C3BE-41B2-AEC7-F1472071E598}: Domain = mit.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: ,
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\EARLOS~1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 13693 bytes
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm
Advertisement
Register to Remove

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby Shaba » December 1st, 2009, 12:13 pm

Hi ops1

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 2nd, 2009, 9:50 am

Thanks for responding! Here is the gmer output (part 1):

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 05:42:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\EARLOS~1\LOCALS~1\Temp\kfpdrfow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB232DABB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB232DA3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB232DAE5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB232DA4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB232DA7B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB232DB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB232DA27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB232DACF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB232DA65]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB232DA91]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB232DAA7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB232DB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB232DAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP B232DAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP B232DABF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP B232DB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP B232DB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP B232DAD3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP B232DAE9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP B232DAAB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP B232DA95 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP B232DA69 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 5 Bytes JMP B232DA3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP B232DA53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP B232DA7F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 5 Bytes JMP B232DA2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00093
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00082
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B000C4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B000DF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F46
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B000F0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F57
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0FA1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0F9C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 007C0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007C0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007C0027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[296] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007C0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE0091
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE0F92
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE00B3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE0F6B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE00C4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE0F2B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE00E9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE00A2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE0F46
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0091
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0075
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0050
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B002E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B003F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 006A0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 006A0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 006A0FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[580] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 006A0FAD
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AD0FEF
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AD0F7A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AD0F8B
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AD0FA8
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AD005B
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AD004A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AD009B
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AD008A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AD00C0
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AD0F31
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AD0F0C
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AD0FC3
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AD0014
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AD0F5F
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01AD002F
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01AD0FDE
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01AD0F42
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01AC0036
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01AC0FAC
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01AC0FE5
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01AC001B
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01AC0073
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01AC000A
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01AC0058
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01AC0047
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01AB0FA1
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 01AB0FBC
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01AB0FDE
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01AB000C
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01AB0FCD
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01AB0FEF
.text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0027
.text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090F86
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F97
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090FA8
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090FC3
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090F55
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0109009D
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F29
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F44
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010900D3
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090FD4
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090025
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0109008C
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090051
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090036
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010900C2
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80F83
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80040
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D80F94
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F8, 88]
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70029
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7000C
.text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02530FEF
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02530F43
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02530F68
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02530F79
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0253002C
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02530F9E
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02530075
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02530064
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025300BF
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0253009A
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02530F0B
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0253001B
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0253000A
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02530053
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02530FAF
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02530FCA
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02530F1C
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02520FE5
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0252008E
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02520036
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02520025
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0252007D
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02520000
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02520062
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02520051
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0251001B
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 02510F9A
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0251000A
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02510FEF
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02510FAB
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02510FC6
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F57
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70F7C
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70F8D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E7004A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E7008E
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70071
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700B0
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F17
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E70EFC
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E7002F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E70FDE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E70F46
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E70FC3
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E7009F
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0040
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA0FAF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0FCA
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA006C
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA0051
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90F86
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90F97
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FC6
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D8001D
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D8002E
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C00F83
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C00082
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C00FA8
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C00065
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C00FC3
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C00F44
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C00F61
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C000B1
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C00F18
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C00EFD
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C0004A
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C00FDE
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C00F72
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C0002F
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C00014
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C00F29
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BF0FD4
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BF0FA8
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BF0FE5
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BF001B
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BF0FB9
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BF0000
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02BF005B
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BF0040
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BE0F8B
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BE0F9C
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BE0FD2
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BE0000
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BE0FB7
.text C:\WINDOWS\System32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1244] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 02BD000A
.text C:\WINDOWS\System32\svchost.exe[1244] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1244] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02BD0FD2
.text C:\WINDOWS\System32\svchost.exe[1244] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02BD0025
.text C:\WINDOWS\System32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0076006E
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760F79
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00760047
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760F8A
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0076002C
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007600A4
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760089
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007600D3
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760F30
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007600E4
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760FA5
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760011
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760F5E
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00760FCA
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FDB
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00760F41
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00750036
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0075008E
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00750025
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00750014
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0075007D
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00750062
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00750051
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740045
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740FB0
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00740FD2
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FC1
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FE3
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0073000A
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00730FEF
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0073001B
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0073002C
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00720FE5
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00960F6D
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00960F88
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00960F99
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00960062
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00960040
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00960F35
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00960087
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009600B3
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009600A2
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00960F09
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00960051
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00960F5C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00960FCA
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0096001B
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00960F24
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950091
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950025
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0095006C
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0095005B
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770FB7
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FD2
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770042
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FE3
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760038
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00760049
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F97
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60082
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60FA8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60065
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60043
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F6B
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F7C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F24
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60F35
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F600D8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60054
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F600A7
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FCD
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F50
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F5007D
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 2nd, 2009, 9:54 am

Here is gmer output (Part 2):

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F4005F
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F4003A
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F4000C
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40029
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F30FC8
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F30FB7
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F30
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F4B
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F5C
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770F94
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00770F09
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00770EEE
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0077007D
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007700A2
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00770F79
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770FAF
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FC0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700036
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00700FA8
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00700FE5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0070001B
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700FB9
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00700FD4
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [90, 88]
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0070005B
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0053
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F002E
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FD9
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FBE
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0011
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 006E0011
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 006E002C
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 006E0FD9
.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F81
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F92
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0076
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0040
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0093
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F4B
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0EFA
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F15
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00B8
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB005B
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F5C
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F30
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FA5
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA003D
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0F80
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CA0022
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0011
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770047
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 0077002C
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FC6
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FD7
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760FDB
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019D0FEF
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 019D0F83
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 019D0F9E
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 019D0076
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 019D005B
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 019D0FB9
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 019D0F61
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 019D00A9
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 019D0F3F
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 019D0F50
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019D00F3
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 019D004A
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 019D0FDE
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 019D0F72
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 019D0025
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 019D0014
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 019D00C4
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 019C0FD1
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 019C0051
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 019C0022
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 019C0011
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 019C0F94
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 019C0000
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 019C0FA5
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BC, 89]
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 019C0FC0
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019B0044
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!system 77C293C7 5 Bytes JMP 019B0033
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019B0FDE
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019B0FEF
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019B0FC3
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019B0018
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 019A000A
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 019A0FEF
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 019A001B
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 019A0036
.text C:\WINDOWS\system32\svchost.exe[1908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01990000
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F61
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F7C
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F8D
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0025
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00A9
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE008C
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00DF
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00CE
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F21
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0040
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE007B
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE000A
.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F50
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770FA8
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0077002C
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FB9
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770FD4
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0077001B
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770F79
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0077000A
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760038
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FB7
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0076001D
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FC8
.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FE3
.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00750FCA
.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00750FAD
.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00750F9C
.text C:\WINDOWS\System32\svchost.exe[1956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760F6F
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760F8A
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00760058
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760047
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760FCA
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760F1C
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760F43
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00760090
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0076007F
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00760EDC
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760FAF
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0076001B
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760F54
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0076002C
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FDB
.text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00760F01
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0075001B
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00750051
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00750FCA
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00750F94
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00750036
.text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00750FAF
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740022
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740011
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740FE3
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FA1
.text C:\WINDOWS\System32\svchost.exe[2068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FD2
.text C:\WINDOWS\System32\svchost.exe[2068] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0073001B
.text C:\WINDOWS\System32\svchost.exe[2068] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00730000
.text C:\WINDOWS\System32\svchost.exe[2068] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00730FEF
.text C:\WINDOWS\System32\svchost.exe[2068] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00730FDE
.text C:\WINDOWS\System32\svchost.exe[2068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00720000
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C300A4
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30093
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30FB9
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30076
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C300C6
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C300B5
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F48
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300E1
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300F2
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C3005B
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C3001B
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30F94
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C3002C
.text C:\WINDOWS\Explorer.EXE[2200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F63
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20F8A
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C2001B
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20000
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20047
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C20036
.text C:\WINDOWS\Explorer.EXE[2200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20FAF
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10FB0
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10FC1
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FD2
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FE3
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10027
.text C:\WINDOWS\Explorer.EXE[2200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10000
.text C:\WINDOWS\Explorer.EXE[2200] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00AE001B
.text C:\WINDOWS\Explorer.EXE[2200] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00AE0000
.text C:\WINDOWS\Explorer.EXE[2200] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00AE0038
.text C:\WINDOWS\Explorer.EXE[2200] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00AE0FDB
.text C:\WINDOWS\Explorer.EXE[2200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30089
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C3006C
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F5C
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30F6D
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C300EB
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300DA
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30106
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C3009A
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[2336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C300C9
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20040
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C2007D
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C2006C
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20051
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770F90
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FAB
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FBC
.text C:\WINDOWS\system32\svchost.exe[2336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[2336] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[2336] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[2336] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760FC8
.text C:\WINDOWS\system32\svchost.exe[2336] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F70
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D005B
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D004A
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0025
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0091
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F55
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00D1
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F2E
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F13
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0080
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D00AC
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FA3
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0038
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C001D
.text C:\WINDOWS\system32\wuauclt.exe[3040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FBC
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F97
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FCD
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0054
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D0039
.text C:\WINDOWS\system32\wuauclt.exe[3040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0028
.text C:\WINDOWS\system32\wuauclt.exe[3040] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\wuauclt.exe[3040] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\wuauclt.exe[3040] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\wuauclt.exe[3040] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00670FCD
.text C:\WINDOWS\system32\wuauclt.exe[3040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B131BD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AF618

---- Files - GMER 1.0.15 ----

File C:\RRUbackups\Documents and Settings 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\9d45a43c-35bc-4149-80df-bb18dd2cb66c 388 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Default User 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\9d45a43c-35bc-4149-80df-bb18dd2cb66c 388 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Osp1\ 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3964589323-4074650193-2487500024-1005 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3964589323-4074650193-2487500024-1005\358d4f63-ad91-4609-bde4-7f63f6c35193 388 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3964589323-4074650193-2487500024-1005\8a792854-7f1b-4388-84bd-17b0ad843c57 388 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3964589323-4074650193-2487500024-1005\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500 0 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\9d45a43c-35bc-4149-80df-bb18dd2cb66c 388 bytes
File C:\RRUbackups\Documents and Settings\Osp1\Application Data\Microsoft\Protect\S-1-5-21-3977721875-3026991568-2625046951-500\Preferred 24 bytes
File C:\RRUbackups\hints.dat 8192 bytes
File C:\RRUbackups\pu.dat 224 bytes
File C:\RRUbackups\SAM 262144 bytes
File C:\RRUbackups\system 8126464 bytes
File C:\RRUbackups\system.dat 12288 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby Shaba » December 2nd, 2009, 9:57 am

We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 3rd, 2009, 2:03 am

Thanks again for the help! Here is the Combofix log file:

ComboFix 09-12-02.05 - Osp1 12/02/2009 21:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1100 [GMT -8:00]
Running from: c:\documents and settings\Osp1\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pwdmon.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2106-02-06 09:28 . 2003-11-12 05:39 11935 ----a-w- c:\windows\system32\drivers\DUBE100.sys
2009-11-28 21:53 . 2009-11-28 21:53 152576 ----a-w- c:\documents and settings\Osp1\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 21:53 . 2009-11-28 21:53 79488 ----a-w- c:\documents and settings\Osp1\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 02:57 . 2009-11-27 02:57 66568 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 21:58 . 2008-08-10 23:26 -------- d-----w- c:\program files\Java
2009-11-28 21:47 . 2009-03-30 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 21:47 . 2009-04-23 02:46 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-28 21:44 . 2009-08-29 09:35 -------- d-----w- c:\documents and settings\Osp1\Application Data\HPAppData
2009-11-11 11:04 . 2008-08-04 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 16:05 . 2009-08-30 14:43 -------- d-----w- c:\documents and settings\Osp1\Application Data\HpUpdate
2009-10-31 23:47 . 2009-10-31 23:47 -------- d-----w- c:\documents and settings\Osp1\Application Data\l2rshell
2009-10-31 23:29 . 2009-10-31 23:29 -------- d-----w- c:\program files\latex2rtf
2009-10-31 23:17 . 2009-10-31 23:17 -------- d-----w- c:\program files\Free PDF to Word Doc Converter
2009-10-30 14:50 . 2008-07-29 18:10 -------- d-----w- c:\documents and settings\Osp1\Application Data\Apple Computer
2009-10-28 15:10 . 2009-10-28 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-28 15:10 . 2008-07-31 14:22 -------- d-----w- c:\program files\iTunes
2009-10-28 15:09 . 2009-10-28 15:09 -------- d-----w- c:\program files\iPod
2009-10-28 15:09 . 2008-07-29 18:07 -------- d-----w- c:\program files\Common Files\Apple
2009-10-28 15:06 . 2009-10-28 15:05 -------- d-----w- c:\program files\QuickTime
2009-10-28 14:59 . 2009-10-28 14:59 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-18 20:21 . 2008-08-18 00:17 -------- d-----w- c:\program files\Flickr Uploadr
2009-10-11 09:17 . 2009-01-06 18:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 1980-01-01 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-03-30 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-03-30 13:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 18:20 . 2009-05-22 12:11 127872 ----a-w- c:\documents and settings\Osp1\Application Data\Move Networks\uninstall.exe
2009-09-07 18:19 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Osp1\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-07 18:19 . 2009-09-07 18:19 1685856 ----a-w- c:\documents and settings\Osp1\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-09-04 21:03 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-08-06 2321600]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 344064]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 135168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2004-10-27 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]

c:\documents and settings\Osp1\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-2 113664]
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-10-1 565309]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-12 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2008-8-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Osp1\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"427:UDP"= 427:UDP:192.168.1.68/255.255.255.255:Enabled:SLP_Port(427)_UDP

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [7/12/2008 4:08 PM 14208]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [7/12/2008 4:08 PM 6016]
S3 DUBE100;D-Link DUB-E100 USB 2.0 to Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2/6/2106 1:28 AM 11935]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [7/12/2008 4:27 PM 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-13 08:00]

2009-12-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nytimes.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Osp1\Application Data\Mozilla\Firefox\Profiles\vselcs4e.default\
FF - plugin: c:\documents and settings\Osp1\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Osp1\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UC_SMB - (no file)
AddRemove-{2FCE4FC5-6930-40E7-A4F1-F862207424EF} - c:\program files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe REMOVEALL
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(2676)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\System32\QCONSVC.EXE
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\rundll32.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-12-02 21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 05:55

Pre-Run: 30,328,111,104 bytes free
Post-Run: 30,435,905,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 8FE24187A36CC75F97507AFC8ED44500
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 3rd, 2009, 2:04 am

...and here is new HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:12 PM, on 12/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6053645890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68794E56-C3BE-41B2-AEC7-F1472071E598}: Domain = mit.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Osp1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 13584 bytes
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby Shaba » December 3rd, 2009, 2:33 am

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 5th, 2009, 7:08 am

Here is the Kaspersky report file:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 05, 2009 05:07:35
Records in database: 3331335
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
Z:\

Scan statistics:
Objects scanned: 207631
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 04:13:13


File name / Threat / Threats count
C:\Documents and Settings\Ops1\Application Data\Sun\Java\Deployment\cache\6.0\58\7b79707a-434693fc Infected: Trojan-Downloader.Java.Agent.ab 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.


...and here is the new hijackthis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:55 AM, on 12/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6053645890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68794E56-C3BE-41B2-AEC7-F1472071E598}: Domain = mit.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Ops1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 13787 bytes


Thanks again for your help!
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby Shaba » December 5th, 2009, 9:38 am

Empty these folders:

C:\Documents and Settings\Ops1\Application Data\Sun\Java\Deployment\cache\6.0\
C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby ops1 » December 5th, 2009, 5:31 pm

It seems like everything is back to normal now. Thanks again for all your help! Really appreciate it.

Are there any further steps to take or any suggestions for more protection against this happening again?
ops1
Active Member
 
Posts: 7
Joined: November 28th, 2009, 10:17 pm

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby Shaba » December 6th, 2009, 4:38 am

Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: virus causing browser tabs to pop-up and links to redirect

Unread postby NonSuch » December 10th, 2009, 12:00 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware