Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Hijacked ? [Solved]

Started by Emma_uk , Dec 11 2008 05:19 AM

  • This topic is locked This topic is locked

#16
Emma_uk
Posted 11 December 2008 - 08:21 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Scanning Report
Thursday, December 11, 2008 13:40:34 - 14:20:53
Computer name: OWNER-25KGJLS1N
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 8 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Tradedoubler (spyware)
System
TrackingCookie.Webtrends (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 25903
System: 3179
Not scanned: 15
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 8
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_50HNMOA2IP8REUO
C:\WINDOWS\TEMP\MCMSC_JVTD0X5QMB3WVRE
C:\WINDOWS\TEMP\SQLITE_0QJPBCXLH2HMCMB
C:\WINDOWS\TEMP\SQLITE_3AMS1YH004CERTC
C:\WINDOWS\TEMP\SQLITE_F7FYDXSSGYFGVLP
C:\WINDOWS\TEMP\SQLITE_KCGDQDPWC7GDUIW
C:\WINDOWS\TEMP\SQLITE_OWXRCS37OIMBL8I
C:\WINDOWS\TEMP\SQLITE_SBIME9QYNKU4SLM
C:\WINDOWS\TEMP\SQLITE_TAPHWNEBDWSEUND
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Blacklight: 2.4.1093
F-Secure Hydra: 2.8.8110, 2008-12-11
F-Secure Pegasus: 1.20.0, 2008-11-10
F-Secure AVP: 7.0.171, 2008-12-11
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

Advertisements

#17
RatHat
Posted 11 December 2008 - 08:50 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well Emma, not much there! But that is good news.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Afterwards try doing a search again and let me know what happens.
  • 0

#18
Emma_uk
Posted 11 December 2008 - 09:36 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Nothing there :)

Scanning Report
Thursday, December 11, 2008 14:55:07 - 15:34:26
Computer name: OWNER-25KGJLS1N
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 26043
System: 3160
Not scanned: 15
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_50HNMOA2IP8REUO
C:\WINDOWS\TEMP\MCMSC_JVTD0X5QMB3WVRE
C:\WINDOWS\TEMP\SQLITE_0QJPBCXLH2HMCMB
C:\WINDOWS\TEMP\SQLITE_3AMS1YH004CERTC
C:\WINDOWS\TEMP\SQLITE_F7FYDXSSGYFGVLP
C:\WINDOWS\TEMP\SQLITE_KCGDQDPWC7GDUIW
C:\WINDOWS\TEMP\SQLITE_OWXRCS37OIMBL8I
C:\WINDOWS\TEMP\SQLITE_SBIME9QYNKU4SLM
C:\WINDOWS\TEMP\SQLITE_TAPHWNEBDWSEUND
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2008-12-11
F-Secure AVP: 7.0.171, 2008-12-11
F-Secure Pegasus: 1.20.0, 2008-11-10
F-Secure Blacklight: 2.4.1093
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#19
RatHat
Posted 11 December 2008 - 09:38 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
What happens when you do a google search now? Still getting the same problem?
  • 0

#20
RatHat
Posted 11 December 2008 - 09:39 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
What happens when you do a google search now? Still getting the same problem?
  • 0

#21
Emma_uk
Posted 11 December 2008 - 09:44 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
:)

Yes exactly the same . IE crashed as well this time when i was on the google page.
  • 0

#22
Emma_uk
Posted 11 December 2008 - 09:48 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
a brakethrough..

i rebooted and the first search i did in google was correct

did the same search again and it was wrong .
  • 0

#23
RatHat
Posted 11 December 2008 - 09:49 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That is odd. There does not appear to be any malware in your system, at least that is showing anyway. So lets have a really good look.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#24
RatHat
Posted 11 December 2008 - 10:07 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK Emma,

It is now pretty late over here, so I am going to be heading off for bed. I'll pick up on this in the morning, so by the time you get up, I will have been able to read the GMER log and will have a better idea of whether we are looking at malware here.

One thing you could also try is downloading and installing either Firefox or Opera, two very good alternatives to Internet Explorer, and see whether you have the same problem when searching with google.
  • 0

#25
Emma_uk
Posted 11 December 2008 - 10:09 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
ok no worries.. thanks

gmer finished but i cant find the log. where is it ?
  • 0

Advertisements

#26
RatHat
Posted 11 December 2008 - 10:13 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Where did you save it to? Did you save it to your Desktop?

If you cant find it, go to Start then Search, and run a search for GMER.txt

If all that fails, run GMER again and save a new log to your Desktop.
  • 0

#27
Emma_uk
Posted 11 December 2008 - 11:11 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Yeah doing the dumb blonde again, sorry .lol

installed firefox and that works finewith google. unistalled ie7 but cant remove ie6 which still has same problem.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-11 17:04:17
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2B289CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2B28A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2B28978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2B2898C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2B28A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2B28AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2B28B14]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2B28AF9]
Code 8A3A6B60 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2B28A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2B28B3E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2B28A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2B28950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2B28964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2B289DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2B28B7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2B28AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2B28ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2B28A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2B28B66]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2B28B52]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2B289B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2B289A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2B28AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB2B28A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2B28B28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2B28A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2B289F4]
Code 8A380A36 IofCallDriver
Code 8A52F056 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A380A3B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A52F05B
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B2B289F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2B289CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B2B28A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B2B28A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A3A6B64
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B2B289E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B2B28954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B2B28968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B2B289A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B2B28990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B2B2897C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B2B289BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B2B28A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B2B28AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B2B28ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B2B28B2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B2B28AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B2B28A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B2B28A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B2B28A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B2B28AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 5 Bytes JMP B2B28B18 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B2B28AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B2B28A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B2B28B7E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B2B28B56 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B2B28B6A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B2B28B42 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[256] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 019BEBE0 C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[256] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F75
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007006A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007008C
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700A7
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F0E
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070EF3
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007007B
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F29
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6008E
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60FA3
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D6007D
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60062
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F77
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F88
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60F41
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600DA
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D60F30
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D600A9
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D60025
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D60014
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D60F66
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D50014
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D50F83
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D50FC3
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026C000A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026C0F9C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026C0091
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026C0FB9
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026C0076
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026C0FD4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026C00BD
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026C00AC
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026C0F38
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026C0F53
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 026C0F27
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 026C005B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 026C0FEF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 026C0F81
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 026C0040
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 026C0025
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 026C0F64
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02670FA8
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02670032
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02670FB9
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02670FD4
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02670F75
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02670F86
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 87, 8A ]
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02670F97
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02640000
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!bind 71AB4480 5 Bytes JMP 0264001B
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 0265001B
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 02650FD9
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 02650036
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F41
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F5E
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F79
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F15
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F4005B
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40078
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40EDF
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F40093
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F40F30
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40FC0
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F40F04
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F30039
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30F7C
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F30F97
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 13, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F3001E
.text C:\WINDOWS\system32\svchost.exe[1052] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1052] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[1052] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[1052] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1052] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00F1002C
.text C:\WINDOWS\system32\svchost.exe[1052] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00F10FCF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1140] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E40FEF
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E40042
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E40031
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E40020
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E40F61
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E40F8D
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E40F30
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E40078
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E40093
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E40EFA
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02E40EDF
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02E40F72
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02E40FD4
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02E40067
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02E40F9E
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02E40FAF
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02E40F0B
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02760FA8
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0276001E
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02760FB9
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02760FD4
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02760F61
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02760FE5
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02760F72
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 96, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02760F8D
.text C:\WINDOWS\System32\svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02730FEF
.text C:\WINDOWS\System32\svchost.exe[1156] WS2_32.dll!bind 71AB4480 5 Bytes JMP 0273000A
.text C:\WINDOWS\System32\svchost.exe[1156] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 02740025
.text C:\WINDOWS\System32\svchost.exe[1156] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 0274000A
.text C:\WINDOWS\System32\svchost.exe[1156] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 02740036
.text C:\WINDOWS\System32\svchost.exe[1156] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 02740FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F81
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F9C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40FAD
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F4B
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F66
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F30
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C400C9
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C40F1F
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C40091
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C40047
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C4002C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C400AE
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C30F94
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ E3, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!bind 71AB4480 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED006A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F7F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0F90
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FA1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0039
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED008F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0F49
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00B1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F18
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00ED00C2
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00ED0FB2
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00ED0F5A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00ED001E
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00ED0FCD
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00ED00A0
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EC0022
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EC0FB6
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EC0011
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EC0073
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EC004E
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EC003D
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00EA0014
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00EA0FC1
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA006C
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA005B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA004A
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0039
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA001E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA00AE
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0087
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA00DA
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F41
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA0F26
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0FA1
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA0F5C
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA0FBC
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA00BF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C90054
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C90FD4
.text

Edited by Emma_uk, 11 December 2008 - 11:17 AM.

  • 0

#28
Emma_uk
Posted 11 December 2008 - 11:23 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Doesn't seem to fit in the post so iv'e attached it for you. hope its ok

Attached Files

  • Attached File  gmer.txt   75.82KB   381 downloads

  • 0

#29
RatHat
Posted 11 December 2008 - 06:50 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good morning Emma,

It looks like you may have a new rootkit, so I need you to follow these instructions very carefully.

Please print out this post as we will need to go into Safe Mode where you will have no internet connection to allow you to view these instructions.

Firstly I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please go to The Spy Killer
  • Read the post named Instructions for uploading files
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: dgmmqlt.sys - For RatHat
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • C:\WINDOWS\system32\drivers\dgmmqlt.sys
  • Click Open
  • Then click Post

Now do exactly the same for the following two files, but change the post title to the names of the highlighted files:

C:\WINDOWS\system32\dgmoiqh.dll
C:\WINDOWS\system32\dgmmhct.dll

Let me know when you have uploaded them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now, lets run Combofix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to disable these programs, please refer to this page for details.

Please include the contents of C:\ComboFix.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Report.txt
  • The contents of Combofix.txt
Please make a separate post for each log.

Regards,
RatHat
  • 0

#30
Emma_uk
Posted 12 December 2008 - 03:01 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
good morning :)

ive followed you instructions but cannot find the dgmoiqh.dl or dgmmhct.dll

strange ?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP