1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[Closed] Google Redirecting Problems

Discussion in 'Malware and Virus Removal Archive' started by atlgman, 2010/11/10.

Thread Status:
Not open for further replies.
  1. 2010/11/10
    atlgman

    atlgman Inactive Thread Starter

    Joined:
    2010/11/09
    Messages:
    12
    Likes Received:
    0
    Hello Everyone,

    I have lots of problems lately, especially Google redirecting. Every time I click on a link I get transferred to some advertising website. The reports are below. Any and all help is greatly appreciated.

    Thank you,

    Greg



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5086

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    11/10/2010 6:41:17 AM
    mbam-log-2010-11-10 (06-41-17).txt

    Scan type: Quick scan
    Objects scanned: 154190
    Time elapsed: 1 hour(s), 16 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\a\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.






    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-10 10:24:41
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK6034GSX rev.AH101A
    Running: dpuozhfk.exe; Driver: C:\DOCUME~1\a\LOCALS~1\Temp\pftdypod.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF786D0E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF786D0F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF786D120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF786D176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF786D0CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF786D0A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF786D0B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF786D10A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF786D14C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF786D136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF786D1A0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF786D18C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF786D160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    ? frdris.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[212] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00720000
    .text C:\WINDOWS\system32\svchost.exe[212] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00720FD4
    .text C:\WINDOWS\system32\svchost.exe[212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00720FE5
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00870FEF
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00870076
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0087005B
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0087004A
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00870039
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00870FBC
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008700B6
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00870F64
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008700F6
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008700D1
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00870F38
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00870F97
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00870FDE
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0087009B
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0087001E
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00870FCD
    .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00870F53
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00860036
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00860062
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00860025
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0086000A
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00860FAF
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00860FEF
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00860047
    .text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00860FC0
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750FDE
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!system 77C293C7 5 Bytes JMP 0075005F
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00750033
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750FEF
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0075004E
    .text C:\WINDOWS\system32\svchost.exe[212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0075000C
    .text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 0074000A
    .text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00740FEF
    .text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 0074001B
    .text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00740FC8
    .text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0073000A
    .text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C80FEF
    .text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C80025
    .text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C8000A
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E80FEF
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E80F7A
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E80065
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E80054
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E80FA1
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E80039
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E80F2E
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E80080
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E800A2
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E80F09
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E800BD
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E80FB2
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E80FDE
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E80F5F
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E80FCD
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E80014
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!WinExec 7C86158D 1 Byte [E9]
    .text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E80091
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10FBC
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F75
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FCD
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FDE
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E10032
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E10FEF
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00E10F90
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [01, 89]
    .text C:\WINDOWS\Explorer.EXE[576] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E10FAB
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00FA1
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FB2
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FDE
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FC3
    .text C:\WINDOWS\Explorer.EXE[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FEF
    .text C:\WINDOWS\Explorer.EXE[576] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00DF0FD4
    .text C:\WINDOWS\Explorer.EXE[576] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00DF0FEF
    .text C:\WINDOWS\Explorer.EXE[576] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00DF000C
    .text C:\WINDOWS\Explorer.EXE[576] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00DF001D
    .text C:\WINDOWS\Explorer.EXE[576] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D10FE5
    .text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
    .text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040025
    .text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800F9C
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800091
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800076
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800065
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00800039
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00800F70
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00800F81
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F3A
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00800F55
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008000EE
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0080004A
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00800FD4
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008000A2
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00800FC3
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800014
    .text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008000C9
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070036
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F9B
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007001B
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007000A
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00070058
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00070FEF
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00070FC0
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [27, 88]
    .text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00070047
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA3
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060038
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006001D
    .text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
    .text C:\WINDOWS\system32\services.exe[1060] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00050FEF
    .text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F00FEF
    .text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F0000A
    .text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F00FD4
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F40FEF
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F40F7E
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F40F8F
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F40069
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F40058
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F4002C
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F4009A
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F40F48
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F400BC
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F400AB
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F400CD
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F4003D
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F4000A
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F40F59
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F4001B
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F40FCA
    .text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F40F2D
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F3002F
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30076
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FDE
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FEF
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00F30FAF
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00F30000
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00F30051
    .text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00F30040
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20042
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FB7
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001D
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FE3
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FC8
    .text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20000
    .text C:\WINDOWS\system32\lsass.exe[1072] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F1000A
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DC000A
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC0FE5
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC001B
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E00FEF
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E00F68
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E00F8D
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E00F9E
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E00FAF
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E0002C
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E0009D
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E00F4B
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E00F15
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E000AE
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E000C9
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E00051
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E00000
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E00078
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E00FCA
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E0001B
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E00F3A
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DF0036
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DF0F9E
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DF0025
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DF0014
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00DF0FAF
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00DF0FEF
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00DF0FCA
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [FF, 88]
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00DF0051
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0F81
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0F9C
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FC1
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0FEF
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE000C
    .text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FD2
    .text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DD0FE5
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00860FEF
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00860FB9
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00860FDE
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00950000
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00950F70
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00950065
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00950054
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00950F97
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00950FB9
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00950F3D
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00950F4E
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00950EFD
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00950F0E
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009500B1
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00950FA8
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00950FE5
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00950F5F
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00950025
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00950FD4
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00950096
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0089000A
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00890F4D
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00890FAF
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00890FCA
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00890F5E
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00890FEF
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00890F83
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [A9, 88]
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00890F94
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00880FB4
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!system 77C293C7 5 Bytes JMP 0088003F
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0088001D
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0088000C
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0088002E
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00880FE3
    .text C:\WINDOWS\system32\svchost.exe[1336] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00870000
    .text C:\WINDOWS\System32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02390FEF
    .text C:\WINDOWS\System32\svchost.exe[1384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02390FD4
    .text C:\WINDOWS\System32\svchost.exe[1384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0239000A
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0275000A
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02750089
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0275006E
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02750051
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02750F9E
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02750FC3
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02750F6F
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 027500AB
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02750F39
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02750F54
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02750F28
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02750040
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02750FEF
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0275009A
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0275002F
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02750FD4
    .text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 027500D2
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02740FD4
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02740054
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02740025
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02740FE5
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 02740F97
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 02740000
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 02740FB2
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [94, 8A]
    .text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 02740FC3
    .text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0273003F
    .text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 02730FBE
    .text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0273001D
     
    atlgman,
    #1
  2. 2010/11/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, do NOT create multiple topics.
    Topic closed.
     
    broni,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...