Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown Browser Hijacker


  • This topic is locked This topic is locked
18 replies to this topic

#1 ischemia

ischemia

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 02 December 2008 - 09:23 AM

Thanks in advance for your help!

What happened:
I downloaded a torrent file that contained what I thought was the latest beta version of Camfrog (webcam software). I committed the cardinal sin by not first scanning the file for viruses. I am completely to blame :thumbsup:

Symptoms:
(1) Browser (Firefox) redirects google search results
(2) Unable to navigate directly to Bleepingcomputer, Kaspersky, Malwarebytes, etc... (I get a "Page Cannot Be Accessed" message)
(3) Browser opens hidden window? The only reason I suspect this is that sometimes the hidden window website contains sound, which I hear but cannot see.
(4) Random restarts.
(5) Randomly hangs up during Windows startup.
(6) Cannot install new software (Malwarebytes Anti-Malware, Random's System Information Tool)
(7) Cannot open Task Manager

What I've done so far:
(1) Ran a full McAfee scan that found multiple Trojan viruses. I cleaned/deleted all of those files. But no change in system behavior.
(2) Ran a CCleaner registry cleanup.
(3) I had previously installed Hijackthis and was able to run it. This is the log I received:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:12 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.ph/intl/en/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /T
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [\VIE396.exe] C:\Windows\System32\VIE396.exe
O4 - HKLM\..\Run: [\VIE397.exe] C:\Windows\System32\VIE397.exe
O4 - HKLM\..\Run: [\VIE398.exe] C:\Windows\System32\VIE398.exe
O4 - HKLM\..\Run: [\VIE399.exe] C:\Windows\System32\VIE399.exe
O4 - HKLM\..\Run: [\VIE3B3.exe] C:\Windows\System32\VIE3B3.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP003.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP002.TMP\"
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VIE3B3.exe] C:\Windows\System32\VIE3B3.exe
O4 - HKCU\..\Run: [VIE399.exe] C:\Windows\System32\VIE399.exe
O4 - HKCU\..\Run: [VIE398.exe] C:\Windows\System32\VIE398.exe
O4 - HKCU\..\Run: [VIE397.exe] C:\Windows\System32\VIE397.exe
O4 - HKCU\..\Run: [VIE396.exe] C:\Windows\System32\VIE396.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: NCProTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zetcih.dll ytbvsm.dll vwihip.dll yhoxsa.dll bkalmv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10436 bytes

The compounding problem:
I cannot access bleepingcomputer from the computer. I am sending this message and log from another computer (Mac). I should be able to transfer any programs you might suggest from this computer to the infected computer via flash drive, but I may not be able to install them.


Again, thanks for any help you can give me.

Edited by ischemia, 02 December 2008 - 09:27 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 08 December 2008 - 08:43 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

Please do transfer the required files over to the problem computer. If they do not run, try renaming them. Lucky that infections don't jump over to Macs.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

Edited by PropagandaPanda, 08 December 2008 - 08:45 PM.


#3 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 10 December 2008 - 08:57 AM

Hi Panda,
Thanks so much for your help!

The only thing I've done to the computer since the original post is run McAfee virus scans. The scan yields multiple trojans, but there has been no change to the system behavior.



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-09 22:43:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spyj.sys ZwCreateKey [0xBA6AB0E0]
SSDT spyj.sys ZwEnumerateKey [0xBA6C8CA2]
SSDT spyj.sys ZwEnumerateValueKey [0xBA6C9030]
SSDT spyj.sys ZwOpenKey [0xBA6AB0C0]
SSDT spyj.sys ZwQueryKey [0xBA6C9108]
SSDT spyj.sys ZwQueryValueKey [0xBA6C8F88]
SSDT spyj.sys ZwSetValueKey [0xBA6C919A]

INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AA10BF8
INT 0x63 ? 8AA10BF8
INT 0x63 ? 8AC62BF8
INT 0x83 ? 8AC65BF8
INT 0x83 ? 8AA10BF8
INT 0x83 ? 8AC65BF8
INT 0x94 ? 8AA10BF8
INT 0x94 ? 8AA10BF8
INT 0xB4 ? 8AA10BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB392E581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB392E5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB392E515]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB392E541]
Code E2216CE8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB392E5D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB392E595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB392E52B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB392E56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB392E5EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB392E5BF]
Code B6AE3EAB pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B392E5C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B392E585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B392E5D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B392E5EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP E2216CEC
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B392E599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B392E5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B392E571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B392E52F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B392E519 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B392E545 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spyj.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B92C28AC 5 Bytes JMP 8AA101D8

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01530000
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0153008C
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01530F97
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01530FA8
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01530FB9
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01530051
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015300BA
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01530F72
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01530F61
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015300FA
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01530F50
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01530FCA
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0153001B
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0153009D
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01530FE5
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01530036
.text C:\WINDOWS\Explorer.EXE[292] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015300D5
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01500FE5
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01500FAF
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01500036
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0150001B
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0150006C
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01500000
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01500051
.text C:\WINDOWS\Explorer.EXE[292] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01500FD4
.text C:\WINDOWS\Explorer.EXE[292] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01510000
.text C:\WINDOWS\Explorer.EXE[292] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0151001B
.text C:\WINDOWS\Explorer.EXE[292] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01510036
.text C:\WINDOWS\Explorer.EXE[292] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01510FE5
.text C:\WINDOWS\Explorer.EXE[292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011A000A
.text C:\WINDOWS\Explorer.EXE[292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01470000
.text C:\WINDOWS\Explorer.EXE[292] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0119000A
.text C:\WINDOWS\Explorer.EXE[292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011B000A
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0F88
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B007D
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B006C
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B005B
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B0040
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B0F66
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B00A2
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B0F29
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B0F44
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011B0F18
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011B0FB9
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011B0FDE
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011B0F77
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011B0025
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011B0014
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011B0F55
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 011A0FC3
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 011A0051
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 011A0FD4
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 011A0FE5
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 011A0F9E
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 011A0040
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 011A002F
.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01730000
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 017300AE
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01730FAF
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01730087
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0173006C
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01730FCA
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017300C9
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01730F8D
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01730F37
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017300DA
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 017300EB
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0173005B
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0173001B
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01730F9E
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01730FDB
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0173002C
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01730F66
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01710025
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01710FA8
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01710FDE
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01710014
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01710FC3
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01710FEF
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01710065
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01710040
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 0172000A
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0172001B
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0172002C
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0172003D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01570FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01570F51
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01570F62
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01570F73
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01570F90
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01570FB2
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01570077
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01570F2F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01570EF2
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01570F03
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01570EE1
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01570FA1
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01570FDE
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01570F40
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0157001E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01570FC3
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01570F14
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01550047
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0155009F
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0155002C
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0155001B
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01550084
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01550000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01550073
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01550062
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01560FEF
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0156000A
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01560025
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01560FD4
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01530FE5
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0117000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01170087
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01170F92
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01170076
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01170FC3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01170FDE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01170F77
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011700BF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01170F55
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01170F66
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01170113
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01170065
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0117001B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011700A2
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01170FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01170036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011700DA
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01160036
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01160FC0
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01160025
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01160014
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01160073
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01160FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01160062
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01160051
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D30FEF
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D30F8D
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D30082
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D30FA8
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D30FB9
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D3005B
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D300B8
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D30F7C
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D30F30
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D300C9
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02D30F1F
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02D30FD4
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02D30014
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02D300A7
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02D3004A
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02D30025
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02D30F55
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02D10FCA
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02D10F8A
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02D1001B
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02D10FE5
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02D10051
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02D10000
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02D10FAF
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F1, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02D1002C
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02D2000A
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02D20FEF
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02D20FDE
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02D20FCD
.text C:\WINDOWS\System32\svchost.exe[1564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F80FEF
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50076
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B5005B
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F8D
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50F9E
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50025
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F5A
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B500A2
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F49
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B500D8
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B50F2E
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B50091
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B500BD
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B40FDB
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B40F9B
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B4002C
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B40058
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B40FC0
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D4, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B4003D
.text C:\WINDOWS\system32\svchost.exe[1656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011A003D
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011A0F48
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011A0022
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011A0F6F
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011A0F9B
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011A006B
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011A005A
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011A0EF7
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011A0086
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011A0EDC
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011A0F8A
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011A0FE5
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011A0F2D
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011A0FC0
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011A0011
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011A0F08
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D10F83
.text C:\WINDOWS\system32\svchost.exe[1848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01010FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021D0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021D0F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 021D009A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 021D007F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 021D0FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 021D0047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021D00D2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021D0F8A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021D010B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021D0F68
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 021D011C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 021D0058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 021D001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 021D00AB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 021D0036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 021D0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 021D0F79
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 021B0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 021B0076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 021B002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 021B0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 021B005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 021B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 021B0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 3B, 8A ]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 021B004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02190FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 021C0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 021C0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 021C0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2856] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 021C0FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01730FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01730FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 017300A7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01730FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01730080
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01730054
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01730F86
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017300CE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0173010E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017300E9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0173011F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0173006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01730014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01730F97
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01730FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0173002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01730F75
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01710011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01710F79
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01710FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01710FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01710036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01710000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01710F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 91, 89 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01710FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01720FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01720014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01720025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3176] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01720040
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F300A2
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30FAD
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30087
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F3006C
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300CE
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F300BD
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F61
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300FA
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F30F50
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F30F92
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F30047
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[3476] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F300DF
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F10076
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F10011
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F10FB9
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\svchost.exe[3476] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\svchost.exe[3476] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[3476] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\svchost.exe[3476] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[3476] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F2002F
.text C:\WINDOWS\system32\svchost.exe[3476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0000
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C000A
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F55
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F66
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F83
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F94
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC0
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C008C
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F44
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00A7
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F0E
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001C0EF3
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001C001B
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001C006F
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001C0036
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[4232] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001C0F33
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0036
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B000A
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0025
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F83
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\System32\svchost.exe[4232] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0F94
.text C:\WINDOWS\System32\svchost.exe[4232] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[4232] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[4232] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\System32\svchost.exe[4232] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00B70FCD
.text C:\WINDOWS\System32\svchost.exe[4232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6AC040] spyj.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6AC13C] spyj.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6AC0BE] spyj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6AC7FC] spyj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6AC6D2] spyj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6BBD92] spyj.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8ACD01F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A73E1F8
Device \Driver\USBSTOR \Device\0000008f 8A778500

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\sptd \Device\2145967348 spyj.sys
Device \Driver\usbuhci \Device\USBPDO-0 8AA0F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmConfig 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmPnP 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmInfo 8ACD21F8
Device \Driver\usbuhci \Device\USBPDO-1 8AA0F1F8
Device \Driver\usbuhci \Device\USBPDO-2 8AA0F1F8
Device \Driver\usbehci \Device\USBPDO-3 8A9EC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1414A9D9-9B39-414E-A4D7-A0DCE2B30DF1} 8A7D21F8
Device \Driver\usbuhci \Device\USBPDO-4 8AA0F1F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbehci \Device\USBPDO-5 8A9EC1F8
Device \Driver\usbuhci \Device\USBPDO-6 8AA0F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC631F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CF66D877-F84B-4AE2-974B-D8532EEDBB3B} 8A7D21F8
Device \Driver\usbuhci \Device\USBPDO-7 8AA0F1F8
Device \Driver\PCI_PNP9848 \Device\00000058 spyj.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC631F8
Device \Driver\Cdrom \Device\CdRom0 8A993500
Device \Driver\Cdrom \Device\CdRom1 8A993500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A7D21F8
Device \Driver\NetBT \Device\NetbiosSmb 8A7D21F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8AA0F1F8
Device \Driver\usbuhci \Device\USBFDO-1 8AA0F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A72E368
Device \Driver\usbuhci \Device\USBFDO-2 8AA0F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A72E368
Device \Driver\usbehci \Device\USBFDO-3 8A9EC1F8
Device \Driver\usbuhci \Device\USBFDO-4 8AA0F1F8
Device \Driver\Ftdisk \Device\FtControl 8AC631F8
Device \Driver\usbuhci \Device\USBFDO-5 8AA0F1F8
Device \Driver\USBSTOR \Device\0000008b 8A778500
Device \Driver\usbuhci \Device\USBFDO-6 8AA0F1F8
Device \Driver\usbehci \Device\USBFDO-7 8A9EC1F8
Device \Driver\JRAID \Device\Scsi\JRAID1 8ACD11F8
Device \Driver\ax9cthbd \Device\Scsi\ax9cthbd1 8A95F1F8
Device \Driver\ax9cthbd \Device\Scsi\ax9cthbd1Port5Path0Target0Lun0 8A95F1F8
Device \FileSystem\Fastfat \Fat 8A73E1F8

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8A7E4500

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmxoe.sys (*** hidden *** ) B6AE2000-B6AF4000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:472 B6AE4D66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSmxoe.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 112
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v300
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 10 December 2008 - 09:06 PM

Hello ischemia.

You've got a nasty infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to Disable:
    82418b69
    TDSSserv.sys
    
    Registry keys to delete:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 
    HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys
    HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys 
    HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys 
    HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys 
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Driver Services - Safe List]
    YY -> (82418b69) 82418b69 [Kernel | System | Stopped] -> %SystemRoot%\system32\drivers\82418b69.sys
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {35A70310-1839-4246-B263-8638F836114C} [HKLM] -> %SystemRoot%\system32\xxyyxyAS.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {3AD3058A-5CE0-4BDE-AAE4-8856F14A1D38} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {57170587-99a2-41e6-82ee-57ddb80a33ff} [HKLM] -> %SystemRoot%\system32\linivini.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6EB67C22-DAD7-4182-B25E-673E7C778F7D} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {afe5a9e3-9c2f-4794-8ab3-da7895582240} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {FA3CAB08-E27B-4032-83CC-AC79997F7375} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "\VIE396.exe" -> %SystemRoot%\System32\VIE396.exe [C:\Windows\System32\VIE396.exe]
    YN -> "\VIE397.exe" -> %SystemRoot%\System32\VIE397.exe [C:\Windows\System32\VIE397.exe]
    YN -> "\VIE398.exe" -> %SystemRoot%\System32\VIE398.exe [C:\Windows\System32\VIE398.exe]
    YN -> "\VIE399.exe" -> %SystemRoot%\System32\VIE399.exe [C:\Windows\System32\VIE399.exe]
    YN -> "\VIE3B3.exe" -> %SystemRoot%\System32\VIE3B3.exe [C:\Windows\System32\VIE3B3.exe]
    YN -> "18cd96fb" -> %SystemRoot%\system32\sceyyokt.dll [rundll32.exe "C:\WINDOWS\system32\sceyyokt.dll",b]
    YN -> "McAfeeUpdaterUI" -> ["C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey]
    YN -> "ShStatEXE" -> ["C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE]
    YN -> "vumofisago" -> %SystemRoot%\system32\sebodawe.dll [Rundll32.exe "C:\WINDOWS\system32\sebodawe.dll",s]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Aim6" -> []
    YN -> "VIE396.exe" -> %SystemRoot%\System32\VIE396.exe [C:\Windows\System32\VIE396.exe]
    YN -> "VIE397.exe" -> %SystemRoot%\System32\VIE397.exe [C:\Windows\System32\VIE397.exe]
    YN -> "VIE398.exe" -> %SystemRoot%\System32\VIE398.exe [C:\Windows\System32\VIE398.exe]
    YN -> "VIE399.exe" -> %SystemRoot%\System32\VIE399.exe [C:\Windows\System32\VIE399.exe]
    YN -> "VIE3B3.exe" -> %SystemRoot%\System32\VIE3B3.exe [C:\Windows\System32\VIE3B3.exe]
    < Run [HKEY_USERS\S-1-5-21-299502267-1500820517-839522115-500\] > -> HKEY_USERS\S-1-5-21-299502267-1500820517-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Aim6" -> []
    YN -> "VIE396.exe" -> %SystemRoot%\System32\VIE396.exe [C:\Windows\System32\VIE396.exe]
    YN -> "VIE397.exe" -> %SystemRoot%\System32\VIE397.exe [C:\Windows\System32\VIE397.exe]
    YN -> "VIE398.exe" -> %SystemRoot%\System32\VIE398.exe [C:\Windows\System32\VIE398.exe]
    YN -> "VIE399.exe" -> %SystemRoot%\System32\VIE399.exe [C:\Windows\System32\VIE399.exe]
    YN -> "VIE3B3.exe" -> %SystemRoot%\System32\VIE3B3.exe [C:\Windows\System32\VIE3B3.exe]
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YN -> C:\WINDOWS\system32\xxyyxyAS -> %SystemRoot%\system32\xxyyxyAS.dll
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> tkoyyecs.ini -> %SystemRoot%\System32\tkoyyecs.ini
    NY -> sceyyokt.dll -> %SystemRoot%\System32\sceyyokt.dll
    NY -> cuoixg.dll -> %SystemRoot%\System32\cuoixg.dll
    NY -> qkvrtdpf.dll -> %SystemRoot%\System32\qkvrtdpf.dll
    NY -> yrnovm.dll -> %SystemRoot%\System32\yrnovm.dll
    NY -> gonhayyn.dll -> %SystemRoot%\System32\gonhayyn.dll
    NY -> fptjxsyl.ini -> %SystemRoot%\System32\fptjxsyl.ini
    NY -> lysxjtpf.dll -> %SystemRoot%\System32\lysxjtpf.dll
    NY -> lilych.dll -> %SystemRoot%\System32\lilych.dll
    NY -> hscwyeyv.dll -> %SystemRoot%\System32\hscwyeyv.dll
    NY -> jcjnsrny.ini -> %SystemRoot%\System32\jcjnsrny.ini
    NY -> ynrsnjcj.dll -> %SystemRoot%\System32\ynrsnjcj.dll
    NY -> fimcbgxw.ini -> %SystemRoot%\System32\fimcbgxw.ini
    NY -> wxgbcmif.dll -> %SystemRoot%\System32\wxgbcmif.dll
    NY -> xluibz.dll -> %SystemRoot%\System32\xluibz.dll
    NY -> fnkiioyx.dll -> %SystemRoot%\System32\fnkiioyx.dll
    NY -> ~.exe -> %SystemRoot%\System32\~.exe
    NY -> spkvmvji.ini -> %SystemRoot%\System32\spkvmvji.ini
    NY -> ijvmvkps.dll -> %SystemRoot%\System32\ijvmvkps.dll
    NY -> seonrm.dll -> %SystemRoot%\System32\seonrm.dll
    NY -> ersqblly.dll -> %SystemRoot%\System32\ersqblly.dll
    NY -> ezdiej.dll -> %SystemRoot%\System32\ezdiej.dll
    NY -> jlgygrcd.dll -> %SystemRoot%\System32\jlgygrcd.dll
    NY -> xrrjhnre.ini -> %SystemRoot%\System32\xrrjhnre.ini
    NY -> ernhjrrx.dll -> %SystemRoot%\System32\ernhjrrx.dll
    NY -> tgqoiovg.dll -> %SystemRoot%\System32\tgqoiovg.dll
    NY -> gdlgsx.dll -> %SystemRoot%\System32\gdlgsx.dll
    NY -> tmqejcwa.ini -> %SystemRoot%\System32\tmqejcwa.ini
    NY -> ynrjlhcf.dll -> %SystemRoot%\System32\ynrjlhcf.dll
    NY -> owhipmmu.ini -> %SystemRoot%\System32\owhipmmu.ini
    NY -> onzjtv.dll -> %SystemRoot%\System32\onzjtv.dll
    NY -> ilcsypfp.ini -> %SystemRoot%\System32\ilcsypfp.ini
    NY -> bkalmv.dll -> %SystemRoot%\System32\bkalmv.dll
    NY -> yhoxsa.dll -> %SystemRoot%\System32\yhoxsa.dll
    NY -> cmfkopdc.dll -> %SystemRoot%\System32\cmfkopdc.dll
    NY -> cfiaumoa.ini -> %SystemRoot%\System32\cfiaumoa.ini
    NY -> aomuaifc.dll -> %SystemRoot%\System32\aomuaifc.dll
    NY -> absiprin.ini -> %SystemRoot%\System32\absiprin.ini
    NY -> vwihip.dll -> %SystemRoot%\System32\vwihip.dll
    NY -> lyjyuymx.ini -> %SystemRoot%\System32\lyjyuymx.ini
    NY -> SAyxyyxx.ini2 -> %SystemRoot%\System32\SAyxyyxx.ini2
    NY -> SAyxyyxx.ini -> %SystemRoot%\System32\SAyxyyxx.ini
    NY -> xxyyxyAS.dll -> %SystemRoot%\System32\xxyyxyAS.dll
    NY -> 82418b69.sys -> %SystemRoot%\System32\drivers\82418b69.sys
    NY -> uesiuqcr.exe -> %SystemRoot%\System32\uesiuqcr.exe
    NY -> mfmmhajf.exe -> %SystemDrive%\mfmmhajf.exe
    NY -> bwnygqmc.job -> %SystemRoot%\tasks\bwnygqmc.job
    NY -> wvUoomNe.dll.vir -> %SystemRoot%\System32\wvUoomNe.dll.vir
    NY -> winhdn32.dll -> %SystemRoot%\System32\winhdn32.dll
    [Custom Items]
    :reg
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_Dlls"=""
    :files
    c:\windows\system32\drivers\TDSSmxoe.sys
    c:\windows\system32\TDSSoipa.dll
    c:\windows\system32\TDSSmupe.dat
    c:\windows\system32\TDSSirxy.dll
    c:\windows\system32\TDSSyavu.dll
    c:\windows\system32\TDSSncur.dll
    c:\windows\system32\TDSSqxnr.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSsahc.dll
    c:\windows\system32\TDSSehys.log
    c:\windows\system32\TDSSwgod.log
    :end
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Re-enable your protection at this time.

Please post back with:
-the Avenger log
-the OTScanIt fix log
-a new OTscanIt scan log (settings at default, attached) You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.
-a new GMER log

With Regards,
The Panda

#5 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 10 December 2008 - 10:53 PM

Thank you for your help Panda.

I will disinfect the computer and back up data and probably reformat in the future.

One issue before I begin the process you outlined in your last reply. I have McAfee OAS Enterprise version installed on the computer (free download from my University). Instead of a red M, I have a V on a blue shield. I do not know how to disable the antivirus -- it's not a simple right click -> exit. Do you know how to disable this type of antivirus, or is it safe to run the rest of the process without disabling?

Thanks.

Edited by ischemia, 10 December 2008 - 10:56 PM.


#6 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 10 December 2008 - 11:43 PM

Also, I've realized that I cannot open Spybot-S&D. After double clicking the tray icon, I get an hour-glass cursor, but the window never opens. I'm not sure how determine whether I'm in advanced mode or how to disable the TeaTimer.

Sorry for the trouble.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 10 December 2008 - 11:44 PM

Hello ischemia.

Try playing around with the settings. There should be a section labeled "realtime protection". If you are unable to disable it, then proceed anyways.

There is a slight risk of something going whack though.

With Regards,
The Panda

#8 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 11 December 2008 - 01:06 AM

Avenger Log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmxoe.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "82418b69" disabled successfully.
Driver "TDSSserv.sys" disabled successfully.
Registry key "HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys" deleted successfully.

Error: registry key "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



New GMER Log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-11 01:01:35
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spul.sys ZwCreateKey [0xBA6AB0E0]
SSDT spul.sys ZwEnumerateKey [0xBA6C8CA2]
SSDT spul.sys ZwEnumerateValueKey [0xBA6C9030]
SSDT spul.sys ZwOpenKey [0xBA6AB0C0]
SSDT spul.sys ZwQueryKey [0xBA6C9108]
SSDT spul.sys ZwQueryValueKey [0xBA6C8F88]
SSDT spul.sys ZwSetValueKey [0xBA6C919A]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6F06F20]

INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8AC62BF8
INT 0x63 ? 8A9F6F00
INT 0x63 ? 8A9F6F00
INT 0x63 ? 8AC62BF8
INT 0x83 ? 8AC65BF8
INT 0x83 ? 8A9F6F00
INT 0x83 ? 8AC65BF8
INT 0x94 ? 8A9F6F00
INT 0x94 ? 8A9F6F00
INT 0xB4 ? 8A9F6F00

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB4077515]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB4077541]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB407752B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB407756D]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B4077571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B407752F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B4077519 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B4077545 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spul.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B99098AC 5 Bytes JMP 8A9F64E0
.text a9o80iku.SYS B982C384 1 Byte [ 20 ]
.text a9o80iku.SYS B982C386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text a9o80iku.SYS B982C3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text a9o80iku.SYS B982C3C4 3 Bytes [ 00, 00, 00 ]
.text a9o80iku.SYS B982C3C9 1 Byte [ 00 ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6AC040] spul.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6AC13C] spul.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6AC0BE] spul.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6AC7FC] spul.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6AC6D2] spul.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6BBD92] spul.sys
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\a9o80iku.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8ACD01F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A83F500
Device \Driver\USBSTOR \Device\0000008f 8A83E500

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\sptd \Device\2378129524 spul.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A9F51F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmConfig 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmPnP 8ACD21F8
Device \Driver\dmio \Device\DmControl\DmInfo 8ACD21F8
Device \Driver\usbuhci \Device\USBPDO-1 8A9F51F8
Device \Driver\usbuhci \Device\USBPDO-2 8A9F51F8
Device \Driver\usbehci \Device\USBPDO-3 8A9CD500
Device \Driver\NetBT \Device\NetBT_Tcpip_{1414A9D9-9B39-414E-A4D7-A0DCE2B30DF1} 8A8FA500
Device \Driver\usbuhci \Device\USBPDO-4 8A9F51F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbehci \Device\USBPDO-5 8A9CD500
Device \Driver\usbuhci \Device\USBPDO-6 8A9F51F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC631F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CF66D877-F84B-4AE2-974B-D8532EEDBB3B} 8A8FA500
Device \Driver\usbuhci \Device\USBPDO-7 8A9F51F8
Device \Driver\PCI_PNP2024 \Device\00000058 spul.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC631F8
Device \Driver\Cdrom \Device\CdRom0 8A9811F8
Device \Driver\Cdrom \Device\CdRom1 8A9811F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A8FA500
Device \Driver\NetBT \Device\NetbiosSmb 8A8FA500

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A9F51F8
Device \Driver\usbuhci \Device\USBFDO-1 8A9F51F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA2F368
Device \Driver\usbuhci \Device\USBFDO-2 8A9F51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA2F368
Device \Driver\usbehci \Device\USBFDO-3 8A9CD500
Device \Driver\usbuhci \Device\USBFDO-4 8A9F51F8
Device \Driver\Ftdisk \Device\FtControl 8AC631F8
Device \Driver\usbuhci \Device\USBFDO-5 8A9F51F8
Device \Driver\USBSTOR \Device\0000008b 8A83E500
Device \Driver\usbuhci \Device\USBFDO-6 8A9F51F8
Device \Driver\usbehci \Device\USBFDO-7 8A9CD500
Device \Driver\a9o80iku \Device\Scsi\a9o80iku1Port5Path0Target0Lun0 8A942500
Device \Driver\JRAID \Device\Scsi\JRAID1 8ACD11F8
Device \Driver\a9o80iku \Device\Scsi\a9o80iku1 8A942500
Device \FileSystem\Fastfat \Fat 8A83F500

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8A841500

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSmxoe.sys (*** hidden *** ) [DISABLED] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xA3 0x5A 0x5B ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x11 0xFB 0x6D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xA3 0xA4 0x1C ...
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@start 4
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmxoe.sys
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoipa.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSehys.log
Reg HKLM\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSwgod.log

---- EOF - GMER 1.0.14 ----


Thanks so much for your patience and help!

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 11 December 2008 - 04:32 AM

Hello.

Looks better. We knocked out the main infection. Now let's mop up the rest.

Once again, please disable protection before running fixes.

Submit File to Online Scanner
There is an unidentified file that I would like you to check out for me using Jotti/VirusTotal.
  • Open Jotti Online Scanner, or VirusTotal Online Scanner. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • C:\Program Files\Winamp\winampa.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Run a Script With the Avenger
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    TDSSserv.sys
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\TDSSserv.sys
  • Start the Avenger by clicking on its icon on your desktop.
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
  • On reboot(s), a log will open. Post back with it.
Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YY -> {06e9eec8-abfa-4310-a217-2241460d0e12} [HKLM] -> %SystemRoot%\system32\ikpwii.dll [Reg Error: Value  does not exist or could not be read.]
    YY -> {57170587-99a2-41e6-82ee-57ddb80a33ff} [HKLM] -> %SystemRoot%\system32\nahotifo.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {5A4A5009-6C2F-4993-99FB-6B4E17BAA46A} [HKLM] -> %SystemRoot%\system32\xxyyxyAS.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {8C7B029A-63E6-454C-9598-F594D1641CB3} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "vumofisago" -> %SystemRoot%\system32\zovudala.dll [Rundll32.exe "C:\WINDOWS\system32\zovudala.dll",s]
    < Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "vumofisago" -> %SystemRoot%\system32\zovudala.dll [Rundll32.exe "C:\WINDOWS\system32\zovudala.dll",s]
    < Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "vumofisago" -> %SystemRoot%\system32\zovudala.dll [Rundll32.exe "C:\WINDOWS\system32\zovudala.dll",s]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> ":filesc:\windows\system32\drivers\TDSSmxoe.sysc:\windows\system32\TDSSoipa.dllc:\windows\system32\TDSSmupe.datc:\windows\system32\TDSSirxy.dllc:\windows\system32\TDSSyavu.dllc:\windows\system32\TDSSncur.dllc:\windows\system32\TDSSqxnr.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSsahc.dllc:\windows\system32\TDSSehys.logc:\windows\system32\TDSSwgod.lo,C:\WINDOWS\system32\hewalote.dll" -> 
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> winhdn32 -> 
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YN -> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" [HKLM] -> Reg Error: Key does not exist or could not be opened. []
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YN -> C:\WINDOWS\system32\xxyyxyAS -> 
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> ikpwii.dll -> %SystemRoot%\System32\ikpwii.dll
    NY -> dmjucrqb.dll -> %SystemRoot%\System32\dmjucrqb.dll
    NY -> awbicegv.ini -> %SystemRoot%\System32\awbicegv.ini
    NY -> vgecibwa.dll -> %SystemRoot%\System32\vgecibwa.dll
    NY -> TDSSqxnr.dll -> %SystemRoot%\System32\TDSSqxnr.dll
    NY -> TDSSncur.dll -> %SystemRoot%\System32\TDSSncur.dll
    NY -> TDSSyavu.dll -> %SystemRoot%\System32\TDSSyavu.dll
    NY -> TDSSirxy.dll -> %SystemRoot%\System32\TDSSirxy.dll
    NY -> TDSSmupe.dat -> %SystemRoot%\System32\TDSSmupe.dat
    NY -> TDSSoipa.dll -> %SystemRoot%\System32\TDSSoipa.dll
    NY -> TDSSmxoe.sys -> %SystemRoot%\System32\drivers\TDSSmxoe.sys
    [Files/Folders - Modified Within 30 Days]
    NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> harelepi -> %SystemRoot%\System32\harelepi
    NY -> TDSSqxnr.dll -> %SystemRoot%\System32\TDSSqxnr.dll
    NY -> ikpwii.dll -> %SystemRoot%\System32\ikpwii.dll
    NY -> dmjucrqb.dll -> %SystemRoot%\System32\dmjucrqb.dll
    NY -> awbicegv.ini -> %SystemRoot%\System32\awbicegv.ini
    NY -> vgecibwa.dll -> %SystemRoot%\System32\vgecibwa.dll
    NY -> gawajaso.dll -> %SystemRoot%\System32\gawajaso.dll
    NY -> kugokigu.dll -> %SystemRoot%\System32\kugokigu.dll
    [Custom Items]
    :files
    C:\WINDOWS\system32\xxyyxyAS.dll
    :end
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Please post back with:
-the Jotti scan result
-the Avenger log
-the OTScanIt fix log
-the Malware Bytes logs
-a new OTScanIt log (default settings, attached) You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.

How is your computer running now?

By the way, is your McAfee program active? Is the suscription active?

With Regards,
The Panda

#10 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 11 December 2008 - 06:38 PM

Jotti Scan

Scan taken on 11 Dec 2008 22:31:59 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Avenger Log
A log was opened after restart, however there is no avenger.txt in C: now.
Is it possible it was remove after the subsequent restarts?

OCScanIt Fix Log
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e9eec8-abfa-4310-a217-2241460d0e12}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06e9eec8-abfa-4310-a217-2241460d0e12}\ deleted successfully.
C:\WINDOWS\system32\ikpwii.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57170587-99a2-41e6-82ee-57ddb80a33ff}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{57170587-99a2-41e6-82ee-57ddb80a33ff}\ deleted successfully.
C:\WINDOWS\system32\nahotifo.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A4A5009-6C2F-4993-99FB-6B4E17BAA46A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5A4A5009-6C2F-4993-99FB-6B4E17BAA46A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8C7B029A-63E6-454C-9598-F594D1641CB3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7B029A-63E6-454C-9598-F594D1641CB3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vumofisago deleted successfully.
C:\WINDOWS\system32\zovudala.dll moved successfully.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vumofisago deleted successfully.
File C:\WINDOWS\system32\zovudala.dll not found.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vumofisago deleted successfully.
File C:\WINDOWS\system32\zovudala.dll not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:":filesc:\windows\system32\drivers\TDSSmxoe.sysc:\windows\system32\TDSSoipa.dllc:\windows\system32\TDSSmupe.datc:\windows\system32\TDSSirxy.dllc:\windows\system32\TDSSyavu.dllc:\windows\system32\TDSSncur.dllc:\windows\system32\TDSSqxnr.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSsahc.dllc:\windows\system32\TDSSehys.logc:\windows\system32\TDSSwgod.lo,C:\WINDOWS\system32\hewalote.dll" scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\xxyyxyAS deleted successfully.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\ikpwii.dll not found!
C:\WINDOWS\System32\dmjucrqb.dll moved successfully.
C:\WINDOWS\System32\awbicegv.ini moved successfully.
C:\WINDOWS\System32\vgecibwa.dll moved successfully.
C:\WINDOWS\System32\TDSSqxnr.dll moved successfully.
File C:\WINDOWS\System32\TDSSncur.dll not found!
File move failed. C:\WINDOWS\System32\TDSSyavu.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\TDSSirxy.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\TDSSmupe.dat moved successfully.
File move failed. C:\WINDOWS\System32\TDSSoipa.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\drivers\TDSSmxoe.sys scheduled to be moved on reboot.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\harelepi moved successfully.
File C:\WINDOWS\System32\TDSSqxnr.dll not found!
File C:\WINDOWS\System32\ikpwii.dll not found!
File C:\WINDOWS\System32\dmjucrqb.dll not found!
File C:\WINDOWS\System32\awbicegv.ini not found!
File C:\WINDOWS\System32\vgecibwa.dll not found!
C:\WINDOWS\System32\gawajaso.dll moved successfully.
C:\WINDOWS\System32\kugokigu.dll moved successfully.
[Custom Items]
========== FILES ==========
File/Folder C:\WINDOWS\system32\xxyyxyAS.dll not found.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.2.1 fix logfile created on 12112008_174252

Files moved on Reboot...
File C:\WINDOWS\System32\TDSSyavu.dll not found!
File C:\WINDOWS\System32\TDSSirxy.dll not found!
File C:\WINDOWS\System32\TDSSoipa.dll not found!
File C:\WINDOWS\System32\drivers\TDSSmxoe.sys not found!

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:":filesc:\windows\system32\drivers\TDSSmxoe.sysc:\windows\system32\TDSSoipa.dllc:\windows\system32\TDSSmupe.datc:\windows\system32\TDSSirxy.dllc:\windows\system32\TDSSyavu.dllc:\windows\system32\TDSSncur.dllc:\windows\system32\TDSSqxnr.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSsahc.dllc:\windows\system32\TDSSehys.logc:\windows\system32\TDSSwgod.lo,C:\WINDOWS\system32\hewalote.dll" scheduled to be deleted on reboot.

Malware Bytes Log
Malwarebytes' Anti-Malware 1.31
Database version: 1491
Windows 5.1.2600 Service Pack 3

12/11/2008 6:16:16 PM
mbam-log-2008-12-11 (18-16-16).txt

Scan type: Quick Scan
Objects scanned: 54506
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\gumapoke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hewalote.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0185cbae-c1b2-422e-8ad1-54dadb59b324} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0185cbae-c1b2-422e-8ad1-54dadb59b324} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57170587-99a2-41e6-82ee-57ddb80a33ff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{57170587-99a2-41e6-82ee-57ddb80a33ff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{964bf54a-a147-4b3f-9540-6c40cc6b9d8c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd861218-a2ac-46ea-ad5a-6e97f48aca50} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1bfea567 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vumofisago (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gumapoke.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gumapoke.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hewalote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hewalote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hewalote.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hafoyara.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arayofah.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gumapoke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hewalote.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSwgod.log (Trojan.TDSS) -> Quarantined and deleted successfully.


OTScanIt 2 Log
When I run the scan I get an error:

Win32 Error. Code: 1500. The event log file is corrupted.




The computer is behaving much better now. I can navigate to bleepingcomputer.com without problem and there have been no popups since the Malware Bytes scan.

Thank you so much for your help!

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 11 December 2008 - 09:18 PM

Hello.

Looks like the Avenger did it's job. Otherwise, MalwareBytes would have likely removed the leftovers.

Let's run Kaspersky to find any thing missed.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Download and Run Dial-a-Fix
This program fixes many common problems in Windows. It is possible that some settings will be reset.
  • Please download Dial-A-Fix to your desktop.
  • Right click the zip file and select Extract All to extract the contents into a new.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • Uncheck Empty Temp Folders and Adjust Time/Date in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Close Dial-A-Fix
------
Try running the OTScanIt scan leaving the settings as they are when you open the window.

If still no go.. download DDS by sUBs and run it. Select no when asked for the extra scan. Post back that log.

With Regards,
The Panda

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 16 December 2008 - 12:45 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 16 December 2008 - 09:16 PM

Ropened.

#14 ischemia

ischemia
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 16 December 2008 - 10:31 PM

I think we're getting there.
Thanks for your help.


KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 16, 2008 20:39:34
Records in database: 1466897
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
G:\
Scan statistics
Files scanned 193613
Threat name 3
Infected objects 4
Suspicious objects 0
Duration of the scan 03:05:06

File name Threat name Threats count
C:\_OTScanIt\MovedFiles\12112008_004303\C_\mfmmhajf.exe Infected: not-a-virus:AdWare.Win32.BHO.ejm 1
C:\_OTScanIt\MovedFiles\12112008_004303\C_WINDOWS\system32\uesiuqcr.exe Infected: not-a-virus:AdWare.Win32.BHO.ejm 1
C:\_OTScanIt\MovedFiles\12112008_004303\C_WINDOWS\system32\wvUoomNe.dll.vir Infected: Trojan.Win32.Agent.arne 1
C:\_OTScanIt\MovedFiles\12112008_004303\C_WINDOWS\system32\xxyyxyAS.dll Infected: Trojan.Win32.Monderd.gen 1
The selected area was scanned.

Attached Files



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 16 December 2008 - 11:11 PM

Hello.

View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

Could you please post a new HijackTHis log after?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users