Just over a week ago I lost an account related to games. I noticed later on that AVG(2009) ran out. I removed AVG, installed Microsoft Security Essentials, updated my remaining windows updates and defragged the HDD.
Now i'm running into the issue that google redirects my searchresults to several sites not even remotely related. Other than that; Firefox seems to refuse to start, forcing me to reboot my machine (Taskmanager shows several instances running) and in some instances my machine slows down severely.
As mentioned in the sticky, my AV has run its course, removing several infections. Java has been removed and the latest release installed, Adobe has been removed.
Any help to solve this issue would be greatly appreciated. If there are questions regarding translation (Considering my OS is installed in Dutch), then i'm more than happy to help.
===
Step 2 - Malwarebytes Anti-Malware
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Databaseversie: 6885
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
18-6-2011 13:22:16
mbam-log-2011-06-18 (13-22-16).txt
Scantype: Volledige scan (C:\|E:\|F:\|)
Objecten gescand: 373902
Verstreken tijd: 1 uur/uren, 28 minuut/minuten, 9 seconde(n)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 1
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 7
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WV3E3W0UXE4W1H6JOEOJOSEIHJTGBG (Trojan.SpyEyes) -> Value: WV3E3W0UXE4W1H6JOEOJOSEIHJTGBG -> Quarantined and deleted successfully.
Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Mappen geïnfecteerd:
c:\pkgfurotmvn (Trojan.SpyEyes) -> Quarantined and deleted successfully.
Bestanden geïnfecteerd:
c:\documents and settings\lennart de groot\local settings\Temp\jar_cache1843015428022091892.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\lennart de groot\local settings\Temp\jar_cache4530388770589662388.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP143\A0117459.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP146\A0119946.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP147\A0119955.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP149\A0121054.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\pkgfurotmvn\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
===
Step 3: GMER
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-18 13:44:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort4 SAMSUNG_HD642JJ rev.1AA01108
Running: kxubi2uj.exe; Driver: C:\DOCUME~1\LENNAR~1\LOCALS~1\Temp\uxrdapob.sys
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xB9ECFA50]
SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE]
SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C]
SSDT sptd.sys ZwOpenKey [0xB9ECFA30]
SSDT sptd.sys ZwQueryKey [0xB9F04464]
SSDT sptd.sys ZwQueryValueKey [0xB9F042E4]
SSDT sptd.sys ZwSetValueKey [0xB9F044F6]
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8ACBCF00
INT 0x83 ? 8AEFFCC8
INT 0x83 ? 8AEFFCC8
INT 0x83 ? 8ACBCF00
INT 0x83 ? 8AEFFCC8
INT 0x84 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xB4 ? 8ACBCF00
---- Kernel code sections - GMER 1.0.15 ----
PAGE sptd.sys B9EF3000 1 Byte [74]
PAGE sptd.sys B9EF3004 5 Bytes [40, 33, EF, B9, A3]
PAGE sptd.sys B9EF300C 5 Bytes [50, 34, EF, B9, 98]
PAGE sptd.sys B9EF3014 5 Bytes [B8, 33, EF, B9, 59] {MOV EAX, 0x59b9ef33}
PAGE sptd.sys B9EF301C 5 Bytes [78, 32, EF, B9, 61]
PAGE ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38]
? C:\WINDOWS\system32\drivers\sptd.sys Het proces heeft geen toegang tot het bestand omdat
het bestand door een ander proces wordt gebruikt.
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB95DB000, 0x2A1A98, 0xE8000020]
.text USBPORT.SYS!DllUnload B95928AC 5 Bytes JMP 8ACBC410
.text ayu81ieq.SYS B951F306 50 Bytes [00, 00, 00, 42, 03, 00, F0, ...]
.text ayu81ieq.SYS B951F339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ayu81ieq.SYS B951F351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ayu81ieq.SYS B951F3A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ayu81ieq.SYS B951F3B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FDB8B8D-373E-4B57-8872-6ECB23BC3077}\MpKslf962e264.sys Het systeem kan het opgegeven bestand niet vinden. !
? system32\drivers\xpsec.sys Het systeem kan het opgegeven pad niet vinden. !
? system32\drivers\xcpip.sys Het systeem kan het opgegeven pad niet vinden. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\userinit.exe[268] ntdll.dll!NtClose 7C90CFEE 3 Bytes JMP 009103B2
.text C:\WINDOWS\system32\userinit.exe[268] ntdll.dll!NtClose + 4 7C90CFF2 1 Byte [84]
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\winlogon.exe[640] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\winlogon.exe[640] Secur32.dll!LsaLogonUser 77F133F1 5 Bytes JMP 01112946
.text C:\WINDOWS\system32\winlogon.exe[640] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\winlogon.exe[640] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\winlogon.exe[640] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\lsass.exe[748] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\Ati2evxx.exe[924] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00DD03B2
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\svchost.exe[944] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] kernel32.dll!CreateFileW 7C7E0800 8 Bytes JMP 0BB754CB
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 024A9E0A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 024A9CBC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!recv 71A3676F 5 Bytes JMP 024A9A88
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 024A9B5B
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] USER32.dll!TrackPopupMenu 7E3E531E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\svchost.exe[1016] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\svchost.exe[1016] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BC0A7ED
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BC14882
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BC261F5
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BC0A537
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BC14938
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BC1045F
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BC1C594
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BC0BDD9
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01659E0A
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BC1D3A3
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01659CBC
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01659A88
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01659B5B
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BC1D3C5
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BC1938C
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BC0C3E1
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BC1DC3D
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BC22A3B
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BC1D6E8
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BC211F9
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BC21109
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BC22CF7
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BC21313
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BC22B99
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0C9BA7ED
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0C9C4882
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0C9D61F5
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0C9BA537
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0C9C4938
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0C9BBDD9
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0C9CC594
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0C9C045F
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0C9CD3C5
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0C9C938C
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0C9BC3E1
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0C9CDC3D
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0C9D2A3B
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0C9CD6E8
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0C9D11F9
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0C9D1109
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0C9D2CF7
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0C9D1313
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0C9D2B99
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00DF9E0A
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!send 71A34C27 8 Bytes JMP 0C9CD3A3
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00DF9CBC
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00DF9A88
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00DF9B5B
Now i'm running into the issue that google redirects my searchresults to several sites not even remotely related. Other than that; Firefox seems to refuse to start, forcing me to reboot my machine (Taskmanager shows several instances running) and in some instances my machine slows down severely.
As mentioned in the sticky, my AV has run its course, removing several infections. Java has been removed and the latest release installed, Adobe has been removed.
Any help to solve this issue would be greatly appreciated. If there are questions regarding translation (Considering my OS is installed in Dutch), then i'm more than happy to help.
===
Step 2 - Malwarebytes Anti-Malware
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Databaseversie: 6885
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
18-6-2011 13:22:16
mbam-log-2011-06-18 (13-22-16).txt
Scantype: Volledige scan (C:\|E:\|F:\|)
Objecten gescand: 373902
Verstreken tijd: 1 uur/uren, 28 minuut/minuten, 9 seconde(n)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 1
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 7
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WV3E3W0UXE4W1H6JOEOJOSEIHJTGBG (Trojan.SpyEyes) -> Value: WV3E3W0UXE4W1H6JOEOJOSEIHJTGBG -> Quarantined and deleted successfully.
Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Mappen geïnfecteerd:
c:\pkgfurotmvn (Trojan.SpyEyes) -> Quarantined and deleted successfully.
Bestanden geïnfecteerd:
c:\documents and settings\lennart de groot\local settings\Temp\jar_cache1843015428022091892.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\lennart de groot\local settings\Temp\jar_cache4530388770589662388.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP143\A0117459.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP146\A0119946.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP147\A0119955.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b92a4fe4-3e3d-4416-b2a4-69c1259896d7}\RP149\A0121054.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\pkgfurotmvn\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
===
Step 3: GMER
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-18 13:44:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort4 SAMSUNG_HD642JJ rev.1AA01108
Running: kxubi2uj.exe; Driver: C:\DOCUME~1\LENNAR~1\LOCALS~1\Temp\uxrdapob.sys
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xB9ECFA50]
SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE]
SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C]
SSDT sptd.sys ZwOpenKey [0xB9ECFA30]
SSDT sptd.sys ZwQueryKey [0xB9F04464]
SSDT sptd.sys ZwQueryValueKey [0xB9F042E4]
SSDT sptd.sys ZwSetValueKey [0xB9F044F6]
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8AEFFCC8
INT 0x63 ? 8ACBCF00
INT 0x83 ? 8AEFFCC8
INT 0x83 ? 8AEFFCC8
INT 0x83 ? 8ACBCF00
INT 0x83 ? 8AEFFCC8
INT 0x84 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xA4 ? 8ACBCF00
INT 0xB4 ? 8ACBCF00
---- Kernel code sections - GMER 1.0.15 ----
PAGE sptd.sys B9EF3000 1 Byte [74]
PAGE sptd.sys B9EF3004 5 Bytes [40, 33, EF, B9, A3]
PAGE sptd.sys B9EF300C 5 Bytes [50, 34, EF, B9, 98]
PAGE sptd.sys B9EF3014 5 Bytes [B8, 33, EF, B9, 59] {MOV EAX, 0x59b9ef33}
PAGE sptd.sys B9EF301C 5 Bytes [78, 32, EF, B9, 61]
PAGE ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38]
? C:\WINDOWS\system32\drivers\sptd.sys Het proces heeft geen toegang tot het bestand omdat
het bestand door een ander proces wordt gebruikt.
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB95DB000, 0x2A1A98, 0xE8000020]
.text USBPORT.SYS!DllUnload B95928AC 5 Bytes JMP 8ACBC410
.text ayu81ieq.SYS B951F306 50 Bytes [00, 00, 00, 42, 03, 00, F0, ...]
.text ayu81ieq.SYS B951F339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ayu81ieq.SYS B951F351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ayu81ieq.SYS B951F3A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ayu81ieq.SYS B951F3B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FDB8B8D-373E-4B57-8872-6ECB23BC3077}\MpKslf962e264.sys Het systeem kan het opgegeven bestand niet vinden. !
? system32\drivers\xpsec.sys Het systeem kan het opgegeven pad niet vinden. !
? system32\drivers\xcpip.sys Het systeem kan het opgegeven pad niet vinden. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\userinit.exe[268] ntdll.dll!NtClose 7C90CFEE 3 Bytes JMP 009103B2
.text C:\WINDOWS\system32\userinit.exe[268] ntdll.dll!NtClose + 4 7C90CFF2 1 Byte [84]
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\winlogon.exe[640] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\winlogon.exe[640] Secur32.dll!LsaLogonUser 77F133F1 5 Bytes JMP 01112946
.text C:\WINDOWS\system32\winlogon.exe[640] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\winlogon.exe[640] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\winlogon.exe[640] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\lsass.exe[748] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\Ati2evxx.exe[924] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00DD03B2
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\svchost.exe[944] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] kernel32.dll!CreateFileW 7C7E0800 8 Bytes JMP 0BB754CB
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 024A9E0A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 024A9CBC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!recv 71A3676F 5 Bytes JMP 024A9A88
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 024A9B5B
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] USER32.dll!TrackPopupMenu 7E3E531E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[952] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BB6A7ED
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BB74882
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BB861F5
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BB6A537
.text C:\WINDOWS\system32\svchost.exe[1016] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BB74938
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BB7C594
.text C:\WINDOWS\system32\svchost.exe[1016] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6BDD9
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BB7D3A3
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BB7D3C5
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BB7938C
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BB6C3E1
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BB7DC3D
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BB82A3B
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BB7D6E8
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BB811F9
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BB81109
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BB82CF7
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BB81313
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BB82B99
.text C:\WINDOWS\system32\svchost.exe[1016] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BB7045F
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0BC0A7ED
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0BC14882
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0BC261F5
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0BC0A537
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0BC14938
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0BC1045F
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0BC1C594
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BC0BDD9
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01659E0A
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!send 71A34C27 8 Bytes JMP 0BC1D3A3
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01659CBC
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01659A88
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01659B5B
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0BC1D3C5
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0BC1938C
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0BC0C3E1
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0BC1DC3D
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0BC22A3B
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0BC1D6E8
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0BC211F9
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0BC21109
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0BC22CF7
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0BC21313
.text C:\Documents and Settings\Lennart de Groot\Bureaublad\kxubi2uj.exe[1052] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0BC22B99
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtEnumerateValueKey 7C90D2EE 8 Bytes JMP 0C9BA7ED
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 8 Bytes JMP 0C9C4882
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtResumeThread 7C90DB3E 8 Bytes JMP 0C9D61F5
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtSetInformationFile 7C90DC5E 8 Bytes JMP 0C9BA537
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ntdll.dll!NtVdmControl 7C90DF1E 8 Bytes JMP 0C9C4938
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0C9BBDD9
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] ADVAPI32.dll!CryptEncrypt 77F5E360 8 Bytes JMP 0C9CC594
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] CRYPT32.dll!PFXImportCertStore 77AAFF8F 8 Bytes JMP 0C9C045F
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetQueryOptionA 771771AB 8 Bytes JMP 0C9CD3C5
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpOpenRequestA 77182B11 8 Bytes JMP 0C9C938C
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpAddRequestHeadersA 771840E2 8 Bytes JMP 0C9BC3E1
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetCloseHandle 77184DA4 8 Bytes JMP 0C9CDC3D
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpSendRequestA 771860B9 8 Bytes JMP 0C9D2A3B
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpQueryInfoA 771879DA 8 Bytes JMP 0C9CD6E8
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetReadFile 77188302 8 Bytes JMP 0C9D11F9
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetQueryDataAvailable 77198A77 8 Bytes JMP 0C9D1109
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetWriteFile 771B8E39 8 Bytes JMP 0C9D2CF7
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!InternetReadFileExA 771B9380 8 Bytes JMP 0C9D1313
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WININET.dll!HttpSendRequestW 771D3254 8 Bytes JMP 0C9D2B99
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00DF9E0A
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!send 71A34C27 8 Bytes JMP 0C9CD3A3
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00DF9CBC
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00DF9A88
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1100] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00DF9B5B