Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

find-fast-answers.com / google redirect virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 nsc

nsc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 06 August 2011 - 11:36 AM

I've never been able to not remove a virus manually before this one. Searching google only finds results for other people having the same issue, with no definite fixes. Reseting IE settings stops the redirect for a few minutes, then it resumes again. The following all report that the computer is clean:
MBAM
HJT (No abnormal entries)
MS Security Essentials
mwav
TDSSkiller
VundoFix
RootkitBuster
Combofix
kaspersky Vius Removal Tool
ESET Online Scanner
Spybot S&D
Rootkit Unhooker (No abnormal entries)
HitmanPro
aswMBR

.
DDS (Ver_2011-06-23.01) - NTFSx86 
Internet Explorer: 9.0.8112.16421
Run by User at 12:05:59 on 2011-08-06
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2036.559 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Media Player\wmpnscfg.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10u_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey -update
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{CA7B8AC9-89DF-4E46-BE29-A15F81E127B1} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\cdqkk53v.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
============= SERVICES / DRIVERS ===============
.
R0 18185592;18185592;c:\windows\system32\drivers\18185592.sys [2011-8-3 133208]
R0 35723331;35723331;c:\windows\system32\drivers\35723331.sys [2011-8-5 133208]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9ea2d930fbd80;Google Update Service (gupdate1c9ea2d930fbd80);c:\program files\google\update\GoogleUpdate.exe [2009-6-10 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-10 133104]
S3 Ser2rs;Radioshack USB to Serial Driver;c:\windows\system32\drivers\ser2rs.sys [2009-5-30 76288]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-06 15:35:42	--------	d-----w-	c:\program files\ESET
2011-08-06 15:08:54	21064	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2011-08-06 15:08:25	--------	d-----w-	c:\programdata\Hitman Pro
2011-08-06 06:02:57	190032	----a-w-	c:\windows\system32\drivers\tmcomm.sys
2011-08-06 05:19:53	--------	d-----w-	c:\users\user\appdata\local\temp
2011-08-06 05:19:10	--------	d-sh--w-	C:\$RECYCLE.BIN
2011-08-06 04:33:25	439632	----a-w-	c:\programdata\microsoft\microsoft antimalware\definition updates\{d6062ebc-e834-4829-8159-d56c1e38404f}\gapaengine.dll
2011-08-06 04:33:02	6881616	----a-w-	c:\programdata\microsoft\microsoft antimalware\definition updates\{dc74f1e3-792b-4ffc-b9a7-34615df7b9e0}\mpengine.dll
2011-08-06 04:18:29	--------	d-----w-	c:\program files\Microsoft Security Client
2011-08-06 02:42:44	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-05 21:16:04	133208	----a-w-	c:\windows\system32\drivers\35723331.sys
2011-08-03 22:16:19	36726328	----a-w-	c:\windows\hklmSY.reg
2011-08-03 18:53:12	--------	d-----w-	c:\programdata\Kaspersky Lab
2011-08-03 18:52:18	133208	----a-w-	c:\windows\system32\drivers\18185592.sys
2011-08-03 18:37:52	--------	d---a-w-	c:\windows\VDLL.DLL
2011-08-03 18:37:52	--------	d---a-w-	c:\windows\system32\runouce.exe
2011-08-03 18:37:52	--------	d---a-w-	c:\windows\RUNDL132.EXE
2011-08-03 18:37:52	--------	d---a-w-	c:\windows\logo_1.exe
2011-08-03 18:24:59	632064	----a-w-	c:\windows\system32\msvcr80.dll
2011-08-03 18:24:58	554240	----a-w-	c:\windows\system32\msvcp80.dll
2011-08-03 18:24:57	34048	----a-w-	c:\windows\system32\eEmpty.exe
2011-08-03 18:24:53	--------	d-----w-	c:\program files\common files\MicroWorld
2011-08-03 18:24:50	--------	d-----w-	c:\programdata\MicroWorld
2011-07-29 02:04:48	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2011-07-29 02:04:48	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-07-28 16:55:04	--------	d-----w-	c:\program files\Microsoft LifeCam
2011-07-28 16:55:01	1974616	----a-w-	c:\windows\system32\D3DCompiler_42.dll
2011-07-28 16:55:01	1892184	----a-w-	c:\windows\system32\D3DX9_42.dll
2011-07-28 16:09:04	98816	----a-w-	c:\windows\sed.exe
2011-07-28 16:09:04	518144	----a-w-	c:\windows\SWREG.exe
2011-07-28 16:09:04	256000	----a-w-	c:\windows\PEV.exe
2011-07-28 16:09:04	208896	----a-w-	c:\windows\MBR.exe
2011-07-28 15:24:12	221568	----a-w-	c:\windows\system32\drivers\netio.sys
2011-07-28 00:45:30	0	----a-w-	c:\users\user\appdata\local\Tsapexijokiqov.bin
2011-07-27 23:30:55	63488	--sha-r-	c:\windows\system32\msvcr71F.dll
2011-07-24 19:01:50	--------	d-----w-	c:\programdata\SSScanAppDataDir
2011-07-24 19:01:15	--------	d-----w-	c:\programdata\MSScanAppDataDir
2011-07-13 01:32:43	508416	----a-w-	c:\windows\system32\drivers\bthport.sys
2011-07-13 01:32:43	30208	----a-w-	c:\windows\system32\drivers\BTHUSB.SYS
2011-07-13 01:32:41	2043392	----a-w-	c:\windows\system32\win32k.sys
2011-07-13 01:32:33	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-07-13 01:32:33	375808	----a-w-	c:\windows\system32\winsrv.dll
.
==================== Find3M  ====================
.
2011-07-06 23:52:42	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:08:06.42 ===============

Note:
c:\windows\system32\drivers\35723331.sys
c:\windows\system32\drivers\18185592.sys
were created by Kaspersky and are legit

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:33:32 PM, on 8/6/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10u_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\PC Repair\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey -update
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Google Update Service (gupdate1c9ea2d930fbd80) (gupdate1c9ea2d930fbd80) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 3993 bytes

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-06 12:34:46
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500AAJS-75M0A0 rev.01.03E01
Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\pwddapod.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwAdjustPrivilegesToken [0xD1E32E36]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwAlpcConnectPort [0xD1E35074]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwAlpcCreatePort [0xD1E352EE]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwAlpcSendWaitReceivePort [0xD1E35564]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwClose [0xD1E3374A]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwConnectPort [0xD1E3457E]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateEvent [0xD1E34AC8]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateFile [0xD1E33A26]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateMutant [0xD1E349AE]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateNamedPipeFile [0xD1E32A24]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreatePort [0xD1E34882]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateSection [0xD1E32BCC]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateSemaphore [0xD1E34BE8]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateThread [0xD1E333D0]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateWaitablePort [0xD1E34918]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwDebugActiveProcess [0xD1E362D6]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwDeviceIoControlFile [0xD1E33EA8]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwDuplicateObject [0xD1E374E4]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwFsControlFile [0xD1E33CB6]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwLoadDriver [0xD1E363C8]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwMapViewOfSection [0xD1E36B30]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenEvent [0xD1E34B5E]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenFile [0xD1E337CC]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenMutant [0xD1E34A3E]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenProcess [0xD1E33074]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenSection [0xD1E368CA]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenSemaphore [0xD1E34C7E]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwOpenThread [0xD1E32F64]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwQueryDirectoryObject [0xD1E35868]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwQuerySection [0xD1E36E6A]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwQueueApcThread [0xD1E3675C]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwReplaceKey [0xD1E316DE]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwReplyPort [0xD1E34FE2]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwReplyWaitReceivePort [0xD1E34EA8]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwRequestWaitReplyPort [0xD1E36070]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwRestoreKey [0xD1E31A56]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwResumeThread [0xD1E37386]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSaveKey [0xD1E31676]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSecureConnectPort [0xD1E342C4]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSetContextThread [0xD1E335EC]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSetInformationToken [0xD1E3590A]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSetSecurityObject [0xD1E36566]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSetSystemInformation [0xD1E36FBA]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSuspendProcess [0xD1E370AC]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSuspendThread [0xD1E371E6]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwSystemDebugControl [0xD1E361FA]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwTerminateProcess [0xD1E3321A]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwTerminateThread [0xD1E33170]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwUnmapViewOfSection [0xD1E36D0E]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwWriteVirtualMemory [0xD1E33306]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateThreadEx [0xD1E334CE]
SSDT            \SystemRoot\system32\DRIVERS\2544697drv.sys                                                                                                       ZwCreateUserProcess [0xD1E357AE]

Code            \SystemRoot\System32\Drivers\BlackBox.SYS                                                                                                         ExAllocatePool
Code            \SystemRoot\System32\Drivers\BlackBox.SYS                                                                                                         ExAllocatePoolWithTag
Code            \SystemRoot\System32\Drivers\BlackBox.SYS                                                                                                         KeDelayExecutionThread

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ExAllocatePool                                                                                                                       82621B56 5 Bytes  JMP A89B24DC \SystemRoot\System32\Drivers\BlackBox.SYS
.text           ntkrnlpa.exe!KeDelayExecutionThread                                                                                                               826BF5DC 5 Bytes  JMP A89B253B \SystemRoot\System32\Drivers\BlackBox.SYS
.text           ntkrnlpa.exe!KeSetEvent + 119                                                                                                                     826C289C 4 Bytes  [36, 2E, E3, D1]
.text           ntkrnlpa.exe!KeSetEvent + 13D                                                                                                                     826C28C0 8 Bytes  [74, 50, E3, D1, EE, 52, E3, ...] {JZ 0x52; JECXZ 0xffffffffffffffd5; OUT DX, AL ; PUSH EDX; JECXZ 0xffffffffffffffd9}
.text           ntkrnlpa.exe!KeSetEvent + 181                                                                                                                     826C2904 4 Bytes  [64, 55, E3, D1]
.text           ntkrnlpa.exe!KeSetEvent + 1A9                                                                                                                     826C292C 4 Bytes  [4A, 37, E3, D1] {DEC EDX; AAA ; JECXZ 0xffffffffffffffd5}
.text           ntkrnlpa.exe!KeSetEvent + 1C1                                                                                                                     826C2944 4 Bytes  [7E, 45, E3, D1] {JLE 0x47; JECXZ 0xffffffffffffffd5}
.text           ...                                                                                                                                               
?               System32\Drivers\BlackBox.SYS                                                                                                                     The system cannot find the path specified. !
?               C:\Users\user\AppData\Local\Temp\mbr.sys                                                                                                          The system cannot find the file specified. !
?               system32\DRIVERS\2544697drv.sys                                                                                                                   The system cannot find the path specified. !
?               system32\DRIVERS\43008154.sys                                                                                                                     The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!EnableWindow                                                                     76BCCD8B 5 Bytes  JMP 6F7898BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DrawTextExW                                                                      76BD91CE 5 Bytes  JMP 00D9D579 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DrawTextW                                                                        76BD97D3 5 Bytes  JMP 00D9D3B7 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DrawTextA                                                                        76BE558D 5 Bytes  JMP 00D9D2DC 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DrawTextExA                                                                      76BE55C4 5 Bytes  JMP 00D9D492 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamW                                                                  76BF10B0 5 Bytes  JMP 00D9C46C 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamW                                                          76BF2EF5 5 Bytes  JMP 6F8D5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!SetClipboardData                                                                 76C06410 5 Bytes  JMP 00D9D02D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamA                                                                  76C08152 5 Bytes  JMP 6F8D5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamA                                                          76C0847D 5 Bytes  JMP 6F8D5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectA                                                              76C1D4D9 5 Bytes  JMP 6F8D5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectW                                                              76C1D5D3 5 Bytes  JMP 6F8D5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExA                                                                    76C1D639 5 Bytes  JMP 6F8D5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExW                                                                    76C1D65D 5 Bytes  JMP 6F8D5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!ExtTextOutW                                                                       76AC872B 5 Bytes  JMP 00D9D744 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!GetGlyphIndicesW                                                                  76ACB765 5 Bytes  JMP 00D9DBD1 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!ExtTextOutA                                                                       76AD00A5 5 Bytes  JMP 00D9D660 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!TextOutA                                                                          76AD0BAB 5 Bytes  JMP 00D9D144 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!TextOutW                                                                          76AD0D6D 5 Bytes  JMP 00D9D210 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] GDI32.dll!GetGlyphIndicesA                                                                  76AE9DC0 5 Bytes  JMP 00D9DB04 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WININET.dll!InternetCrackUrlW                                                               76742E2B 5 Bytes  JMP 00D9DFE0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!closesocket                                                                      756E330C 5 Bytes  JMP 00D9CF86 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!recv                                                                             756E343A 5 Bytes  JMP 00D9CBA0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!GetAddrInfoW                                                                     756E3D12 5 Bytes  JMP 00D9C0AA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!getaddrinfo                                                                      756E418A 5 Bytes  JMP 00D9BFCA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!WSASend                                                                          756E4496 5 Bytes  JMP 00D9CC4E 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!send                                                                             756E659B 5 Bytes  JMP 00D9CAFB 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!WSARecv                                                                          756E8400 5 Bytes  JMP 00D9CD22 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!WSAAsyncGetHostByName                                                            756F5FB9 5 Bytes  JMP 00D9C38D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[1400] WS2_32.dll!gethostbyname                                                                    756F62D4 5 Bytes  JMP 00D9BF09 
.text           C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O6Z8UVB1\RKUnhookerLE.EXE[2888] ntdll.dll!CsrClientCallServer  77088182 5 Bytes  JMP 00447E98 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O6Z8UVB1\RKUnhookerLE.EXE
.text           C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O6Z8UVB1\RKUnhookerLE.EXE[2888] kernel32.dll!LoadLibraryExW    7658927C 5 Bytes  JMP 00447E54 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O6Z8UVB1\RKUnhookerLE.EXE
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] kernel32.dll!CreateThread                                                                   765ACB2E 5 Bytes  JMP 6F7471CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateDialogParamW                                                               76BC72A2 5 Bytes  JMP 6F8D61F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!GetAsyncKeyState                                                                 76BC863C 5 Bytes  JMP 6F72DC69 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetWindowsHookExW                                                                76BC87AD 5 Bytes  JMP 6F78204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CallNextHookEx                                                                   76BC8E3B 1 Byte  [E9]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CallNextHookEx                                                                   76BC8E3B 5 Bytes  JMP 6F7A7A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!UnhookWindowsHookEx                                                              76BC98DB 5 Bytes  JMP 6F7CE9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!EnableWindow                                                                     76BCCD8B 5 Bytes  JMP 6F7898BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DefWindowProcA                                                                   76BCDB88 7 Bytes  JMP 6F7493F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateWindowExA                                                                  76BCDC2A 2 Bytes  JMP 6F753223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateWindowExA + 3                                                              76BCDC2D 2 Bytes  [B8, F8]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateWindowExW                                                                  76BD1305 5 Bytes  JMP 6F7AFE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!GetKeyState                                                                      76BD8CB1 5 Bytes  JMP 6F72DB43 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DrawTextExW                                                                      76BD91CE 5 Bytes  JMP 033AD579 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DrawTextW                                                                        76BD97D3 5 Bytes  JMP 033AD3B7 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DefWindowProcW                                                                   76BE03B4 7 Bytes  JMP 6F7A7AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!IsDialogMessageW                                                                 76BE0745 5 Bytes  JMP 6F8D6964 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateDialogParamA                                                               76BE17AA 5 Bytes  JMP 6F8D61B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!IsDialogMessage                                                                  76BE1847 5 Bytes  JMP 6F8D693C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateDialogIndirectParamA                                                       76BE26F1 5 Bytes  JMP 6F8D6228 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DrawTextA                                                                        76BE558D 5 Bytes  JMP 033AD2DC 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DrawTextExA                                                                      76BE55C4 5 Bytes  JMP 033AD492 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateDialogIndirectParamW                                                       76BE9A62 5 Bytes  JMP 6F8D6260 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetKeyboardState                                                                 76BF0987 5 Bytes  JMP 6F8D722D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamW                                                                  76BF10B0 5 Bytes  JMP 033AC46C 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamW                                                          76BF2EF5 5 Bytes  JMP 6F8D5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SendInput                                                                        76BF2F75 5 Bytes  JMP 6F8D71D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!EndDialog                                                                        76BF326E 5 Bytes  JMP 6F8D6C10 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetClipboardData                                                                 76C06410 5 Bytes  JMP 033AD02D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetCursorPos                                                                     76C06FB2 5 Bytes  JMP 6F8D72AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamA                                                                  76C08152 5 Bytes  JMP 6F8D5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamA                                                          76C0847D 5 Bytes  JMP 6F8D5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectA                                                              76C1D4D9 5 Bytes  JMP 6F8D5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectW                                                              76C1D5D3 5 Bytes  JMP 6F8D5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExA                                                                    76C1D639 5 Bytes  JMP 6F8D5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExW                                                                    76C1D65D 5 Bytes  JMP 6F8D5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!keybd_event                                                                      76C1D972 5 Bytes  JMP 6F8D7192 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!ExtTextOutW                                                                       76AC872B 5 Bytes  JMP 033AD744 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!GetGlyphIndicesW                                                                  76ACB765 5 Bytes  JMP 033ADBD1 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!ExtTextOutA                                                                       76AD00A5 5 Bytes  JMP 033AD660 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!TextOutA                                                                          76AD0BAB 5 Bytes  JMP 033AD144 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!TextOutW                                                                          76AD0D6D 5 Bytes  JMP 033AD210 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] GDI32.dll!GetGlyphIndicesA                                                                  76AE9DC0 5 Bytes  JMP 033ADB04 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] SHELL32.dll!SHRestricted + D95                                                              759789A8 4 Bytes  [37, 01, 7D, 71] {AAA ; ADD [EBP+0x71], EDI}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] SHELL32.dll!SHRestricted + D9D                                                              759789B0 8 Bytes  [60, 61, 7C, 71, E1, F6, 7C, ...] {PUSHA ; POPA ; JL 0x75; LOOPZ 0xfffffffffffffffc; JL 0x79}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] ole32.dll!OleLoadFromStream                                                                 76431E80 5 Bytes  JMP 6F8D666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WININET.dll!InternetCrackUrlW                                                               76742E2B 5 Bytes  JMP 033ADFE0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!closesocket                                                                      756E330C 5 Bytes  JMP 033ACF86 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!recv                                                                             756E343A 5 Bytes  JMP 033ACBA0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!GetAddrInfoW                                                                     756E3D12 5 Bytes  JMP 033AC0AA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!getaddrinfo                                                                      756E418A 5 Bytes  JMP 033ABFCA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!WSASend                                                                          756E4496 5 Bytes  JMP 033ACC4E 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!send                                                                             756E659B 5 Bytes  JMP 033ACAFB 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!WSARecv                                                                          756E8400 5 Bytes  JMP 033ACD22 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!WSAAsyncGetHostByName                                                            756F5FB9 5 Bytes  JMP 033AC38D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!gethostbyname                                                                    756F62D4 5 Bytes  JMP 033ABF09 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] kernel32.dll!CreateThread                                                                   765ACB2E 5 Bytes  JMP 6F7471CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateDialogParamW                                                               76BC72A2 5 Bytes  JMP 6F8D61F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!GetAsyncKeyState                                                                 76BC863C 5 Bytes  JMP 6F72DC69 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetWindowsHookExW                                                                76BC87AD 5 Bytes  JMP 6F78204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CallNextHookEx                                                                   76BC8E3B 1 Byte  [E9]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CallNextHookEx                                                                   76BC8E3B 5 Bytes  JMP 6F7A7A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!UnhookWindowsHookEx                                                              76BC98DB 5 Bytes  JMP 6F7CE9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!EnableWindow                                                                     76BCCD8B 5 Bytes  JMP 6F7898BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DefWindowProcA                                                                   76BCDB88 7 Bytes  JMP 6F7493F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateWindowExA                                                                  76BCDC2A 2 Bytes  JMP 6F753223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateWindowExA + 3                                                              76BCDC2D 2 Bytes  [B8, F8]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateWindowExW                                                                  76BD1305 5 Bytes  JMP 6F7AFE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!GetKeyState                                                                      76BD8CB1 5 Bytes  JMP 6F72DB43 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DrawTextExW                                                                      76BD91CE 5 Bytes  JMP 0121D579 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DrawTextW                                                                        76BD97D3 5 Bytes  JMP 0121D3B7 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DefWindowProcW                                                                   76BE03B4 7 Bytes  JMP 6F7A7AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!IsDialogMessageW                                                                 76BE0745 5 Bytes  JMP 6F8D6964 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateDialogParamA                                                               76BE17AA 5 Bytes  JMP 6F8D61B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!IsDialogMessage                                                                  76BE1847 5 Bytes  JMP 6F8D693C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateDialogIndirectParamA                                                       76BE26F1 5 Bytes  JMP 6F8D6228 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DrawTextA                                                                        76BE558D 5 Bytes  JMP 0121D2DC 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DrawTextExA                                                                      76BE55C4 5 Bytes  JMP 0121D492 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateDialogIndirectParamW                                                       76BE9A62 5 Bytes  JMP 6F8D6260 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetKeyboardState                                                                 76BF0987 5 Bytes  JMP 6F8D722D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamW                                                                  76BF10B0 5 Bytes  JMP 0121C46C 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamW                                                          76BF2EF5 5 Bytes  JMP 6F8D5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SendInput                                                                        76BF2F75 5 Bytes  JMP 6F8D71D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!EndDialog                                                                        76BF326E 5 Bytes  JMP 6F8D6C10 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetClipboardData                                                                 76C06410 5 Bytes  JMP 0121D02D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetCursorPos                                                                     76C06FB2 5 Bytes  JMP 6F8D72AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamA                                                                  76C08152 5 Bytes  JMP 6F8D5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamA                                                          76C0847D 5 Bytes  JMP 6F8D5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectA                                                              76C1D4D9 5 Bytes  JMP 6F8D5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectW                                                              76C1D5D3 5 Bytes  JMP 6F8D5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExA                                                                    76C1D639 5 Bytes  JMP 6F8D5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExW                                                                    76C1D65D 5 Bytes  JMP 6F8D5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!keybd_event                                                                      76C1D972 5 Bytes  JMP 6F8D7192 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!ExtTextOutW                                                                       76AC872B 5 Bytes  JMP 0121D744 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!GetGlyphIndicesW                                                                  76ACB765 5 Bytes  JMP 0121DBD1 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!ExtTextOutA                                                                       76AD00A5 5 Bytes  JMP 0121D660 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!TextOutA                                                                          76AD0BAB 5 Bytes  JMP 0121D144 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!TextOutW                                                                          76AD0D6D 5 Bytes  JMP 0121D210 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] GDI32.dll!GetGlyphIndicesA                                                                  76AE9DC0 5 Bytes  JMP 0121DB04 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] SHELL32.dll!SHRestricted + D95                                                              759789A8 4 Bytes  [37, 01, 7D, 71] {AAA ; ADD [EBP+0x71], EDI}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] SHELL32.dll!SHRestricted + D9D                                                              759789B0 8 Bytes  [60, 61, 7C, 71, E1, F6, 7C, ...] {PUSHA ; POPA ; JL 0x75; LOOPZ 0xfffffffffffffffc; JL 0x79}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] ole32.dll!OleLoadFromStream                                                                 76431E80 5 Bytes  JMP 6F8D666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WININET.dll!InternetCrackUrlW                                                               76742E2B 5 Bytes  JMP 0121DFE0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!closesocket                                                                      756E330C 5 Bytes  JMP 0121CF86 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!recv                                                                             756E343A 5 Bytes  JMP 0121CBA0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!GetAddrInfoW                                                                     756E3D12 5 Bytes  JMP 0121C0AA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!getaddrinfo                                                                      756E418A 5 Bytes  JMP 0121BFCA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!WSASend                                                                          756E4496 5 Bytes  JMP 0121CC4E 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!send                                                                             756E659B 5 Bytes  JMP 0121CAFB 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!WSARecv                                                                          756E8400 5 Bytes  JMP 0121CD22 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!WSAAsyncGetHostByName                                                            756F5FB9 5 Bytes  JMP 0121C38D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3672] WS2_32.dll!gethostbyname                                                                    756F62D4 5 Bytes  JMP 0121BF09 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] kernel32.dll!CreateThread                                                                   765ACB2E 5 Bytes  JMP 6F7471CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateDialogParamW                                                               76BC72A2 5 Bytes  JMP 6F8D61F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!GetAsyncKeyState                                                                 76BC863C 5 Bytes  JMP 6F72DC69 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetWindowsHookExW                                                                76BC87AD 5 Bytes  JMP 6F78204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CallNextHookEx                                                                   76BC8E3B 1 Byte  [E9]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CallNextHookEx                                                                   76BC8E3B 5 Bytes  JMP 6F7A7A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!UnhookWindowsHookEx                                                              76BC98DB 5 Bytes  JMP 6F7CE9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!EnableWindow                                                                     76BCCD8B 5 Bytes  JMP 6F7898BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DefWindowProcA                                                                   76BCDB88 7 Bytes  JMP 6F7493F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateWindowExA                                                                  76BCDC2A 2 Bytes  JMP 6F753223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateWindowExA + 3                                                              76BCDC2D 2 Bytes  [B8, F8]
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateWindowExW                                                                  76BD1305 5 Bytes  JMP 6F7AFE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!GetKeyState                                                                      76BD8CB1 5 Bytes  JMP 6F72DB43 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DrawTextExW                                                                      76BD91CE 5 Bytes  JMP 002ED579 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DrawTextW                                                                        76BD97D3 5 Bytes  JMP 002ED3B7 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DefWindowProcW                                                                   76BE03B4 7 Bytes  JMP 6F7A7AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!IsDialogMessageW                                                                 76BE0745 5 Bytes  JMP 6F8D6964 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateDialogParamA                                                               76BE17AA 5 Bytes  JMP 6F8D61B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!IsDialogMessage                                                                  76BE1847 5 Bytes  JMP 6F8D693C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateDialogIndirectParamA                                                       76BE26F1 5 Bytes  JMP 6F8D6228 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DrawTextA                                                                        76BE558D 5 Bytes  JMP 002ED2DC 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DrawTextExA                                                                      76BE55C4 5 Bytes  JMP 002ED492 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateDialogIndirectParamW                                                       76BE9A62 5 Bytes  JMP 6F8D6260 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetKeyboardState                                                                 76BF0987 5 Bytes  JMP 6F8D722D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamW                                                                  76BF10B0 5 Bytes  JMP 6F6E15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamW                                                          76BF2EF5 5 Bytes  JMP 6F8D5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SendInput                                                                        76BF2F75 5 Bytes  JMP 6F8D71D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!EndDialog                                                                        76BF326E 5 Bytes  JMP 6F8D6C10 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetClipboardData                                                                 76C06410 5 Bytes  JMP 002ED02D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetCursorPos                                                                     76C06FB2 5 Bytes  JMP 6F8D72AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamA                                                                  76C08152 5 Bytes  JMP 6F8D5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamA                                                          76C0847D 5 Bytes  JMP 6F8D5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectA                                                              76C1D4D9 5 Bytes  JMP 6F8D5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectW                                                              76C1D5D3 5 Bytes  JMP 6F8D5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExA                                                                    76C1D639 5 Bytes  JMP 6F8D5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExW                                                                    76C1D65D 5 Bytes  JMP 6F8D5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!keybd_event                                                                      76C1D972 5 Bytes  JMP 6F8D7192 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!ExtTextOutW                                                                       76AC872B 5 Bytes  JMP 002ED744 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!GetGlyphIndicesW                                                                  76ACB765 5 Bytes  JMP 002EDBD1 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!ExtTextOutA                                                                       76AD00A5 5 Bytes  JMP 002ED660 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!TextOutA                                                                          76AD0BAB 5 Bytes  JMP 002ED144 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!TextOutW                                                                          76AD0D6D 5 Bytes  JMP 002ED210 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] GDI32.dll!GetGlyphIndicesA                                                                  76AE9DC0 5 Bytes  JMP 002EDB04 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] SHELL32.dll!SHRestricted + D95                                                              759789A8 4 Bytes  [37, 01, 7D, 71] {AAA ; ADD [EBP+0x71], EDI}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] SHELL32.dll!SHRestricted + D9D                                                              759789B0 8 Bytes  [60, 61, 7C, 71, E1, F6, 7C, ...] {PUSHA ; POPA ; JL 0x75; LOOPZ 0xfffffffffffffffc; JL 0x79}
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] ole32.dll!OleLoadFromStream                                                                 76431E80 5 Bytes  JMP 6F8D666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WININET.dll!InternetCrackUrlW                                                               76742E2B 5 Bytes  JMP 002EDFE0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!closesocket                                                                      756E330C 5 Bytes  JMP 002ECF86 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!recv                                                                             756E343A 5 Bytes  JMP 002ECBA0 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!GetAddrInfoW                                                                     756E3D12 5 Bytes  JMP 002EC0AA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!getaddrinfo                                                                      756E418A 5 Bytes  JMP 002EBFCA 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!WSASend                                                                          756E4496 5 Bytes  JMP 002ECC4E 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!send                                                                             756E659B 5 Bytes  JMP 002ECAFB 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!WSARecv                                                                          756E8400 5 Bytes  JMP 002ECD22 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!WSAAsyncGetHostByName                                                            756F5FB9 5 Bytes  JMP 002EC38D 
.text           C:\Program Files\Internet Explorer\iexplore.exe[3736] WS2_32.dll!gethostbyname                                                                    756F62D4 5 Bytes  JMP 002EBF09 

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\fastfat \Fat                                                                                                                          fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a31d                                                                       
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a31d (not active ControlSet)                                                   

Note: gmer is still scanning c:\ but it didn't find anything earlier today (I just didn't save a log, but will post the full log when it is done if neccessary)

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-06 13:29:45
-----------------------------
13:29:45.690    OS Version: Windows 6.0.6002 Service Pack 2
13:29:45.690    Number of processors: 1 586 0x1601
13:29:45.692    ComputerName: LIVING-ROOM  UserName: User
13:30:00.234    Initialize success
13:31:24.878    AVAST engine defs: 11080600
13:32:22.450    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:32:22.458    Disk 0 Vendor: WDC_WD2500AAJS-75M0A0 01.03E01 Size: 238418MB BusType: 3
13:32:24.520    Disk 0 MBR read successfully
13:32:24.523    Disk 0 MBR scan
13:32:24.528    Disk 0 Windows VISTA default MBR code
13:32:24.564    Disk 0 scanning sectors +488279202
13:32:24.760    Disk 0 scanning C:\Windows\system32\drivers
13:33:23.311    Service scanning
13:33:25.917    Modules scanning
13:34:54.341    Disk 0 trace - called modules:
13:34:54.407    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys 
13:34:54.412    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85afaac8]
13:34:54.420    3 CLASSPNP.SYS[88ba18b3] -> nt!IofCallDriver -> [0x8505d800]
13:34:54.783    5 acpi.sys[8069d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85050528]
13:34:59.101    AVAST engine scan C:\Windows
13:36:47.469    AVAST engine scan C:\Windows\system32
13:46:45.008    AVAST engine scan C:\Windows\system32\drivers
13:48:47.845    AVAST engine scan C:\Users\User
15:16:38.990    AVAST engine scan C:\ProgramData
15:23:09.755    Scan finished successfully
18:41:37.919    Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
18:41:38.137    The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"

Edited by nsc, 06 August 2011 - 09:53 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 AM

Posted 11 August 2011 - 12:28 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 AM

Posted 14 August 2011 - 01:40 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 AM

Posted 17 August 2011 - 08:15 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users