Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A few domains remain inaccessible/hijacked


  • Please log in to reply
17 replies to this topic

#1 colawars

colawars

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 20 January 2009 - 05:45 PM

I landed at bleepingcomputer recently while fixing a friend's laptop. It is amazing to me that this quality of aid & instruction is avail for free. Internet is a wonderful place! And the tech people on this board are generous. I followed someone else's solution last time, but now I'm stumped and I hope you can help me too.

I'm running XP Pro SP3. My remaining symptoms are that www.malwarebytes.org is inaccessible and any http requests I send to windowsupdate.microsoft.com go to google.com instead. Those are the only two I've noticed since last night, but there may be others. And I'm worried about what else may be lurking.

Here's what I've done so far:

I got a bunch of detections the other night from McAfee VirusScan Enterprise. I let it kill what it could and manually got rid of the ones it couldn't delete, as per this log:

1/19/2009 5:36:29 PM Cleaned COMPUTER\cfm C:\WINDOWS\Explorer.EXE c:\documents and settings\cfm\local settings\temporary internet files\content.ie5\jcrc55y5\index[1] Vundo.gen.k (Trojan)
1/19/2009 5:36:31 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\CFM\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\JCRC55Y5\INDEX[1] Vundo.gen.k (Trojan)
1/19/2009 5:36:31 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Documents and Settings\cfm\Local Settings\Temporary Internet Files\Content.IE5\JCRC55Y5\index[1] Vundo.gen.k (Trojan)
1/19/2009 5:37:48 PM Not scanned (scan timed out) COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Temp\lxhoflry.dll
1/19/2009 5:37:48 PM Cleaned COMPUTER\cfm C:\WINDOWS\Explorer.EXE c:\temp\lxhoflry.dll Vundo.gen.k (Trojan)
1/19/2009 5:37:49 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\TEMP\LXHOFLRY.DLL Vundo.gen.k (Trojan)
1/19/2009 5:37:50 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Temp\lxhoflry.dll Vundo.gen.k (Trojan)
1/19/2009 5:37:55 PM Cleaned COMPUTER\cfm C:\WINDOWS\Explorer.EXE c:\documents and settings\cfm\local settings\temporary internet files\content.ie5\04fzvvd4\upd105320[1] Vundo.gen.k (Trojan)
1/19/2009 5:37:55 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\CFM\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\04FZVVD4\UPD105320[1] Vundo.gen.k (Trojan)
1/19/2009 5:37:55 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Documents and Settings\cfm\Local Settings\Temporary Internet Files\Content.IE5\04FZVVD4\upd105320[1] Vundo.gen.k (Trojan)
1/19/2009 5:38:09 PM Not scanned (scan timed out) COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Temp\sidchaem.dll
1/19/2009 5:38:09 PM Cleaned COMPUTER\cfm C:\WINDOWS\Explorer.EXE c:\temp\sidchaem.dll Vundo.gen.k (Trojan)
1/19/2009 5:38:09 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\TEMP\SIDCHAEM.DLL Vundo.gen.k (Trojan)
1/19/2009 5:38:09 PM Deleted COMPUTER\cfm C:\WINDOWS\Explorer.EXE C:\Temp\sidchaem.dll Vundo.gen.k (Trojan)
1/19/2009 5:39:34 PM Deleted COMPUTER\cfm C:\Temp\matrix308710.exe C:\TEMP\TMP2B.TMP Generic.dx (Trojan)
1/19/2009 5:39:40 PM Delete failed (Clean failed) COMPUTER\cfm C:\Temp\matrix308710.exe C:\Temp\tmp2B.tmp Generic.dx (Trojan)
1/19/2009 5:41:32 PM No Action Taken (Delete failed) SYSTEM McShield.exe C:\Temp\tmp2B.tmp


I observed that FF would resize itself and pop an alert that was an ad for the faux product "Antivirus 2009" after a few minutes of use. Also, the windows auto update feature was complaining in the tray and in the Security Center dialog that it was set to off, but it appeared to be set to Automatic on the Automatic Updates tab in System Properties.

Then I booted into safe mode w/ networking, installed and ran malwarebytes' Anti-Malware (DL'd from a mirror I found on your boards). Its update seemed to install fine, even though the company's web server is inaccessible from my browser. I ran a quick scan, which gave me this log:

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/19/2009 6:47:28 PM
mbam-log-2009-01-19 (18-47-28).txt

Scan type: Quick Scan
Objects scanned: 147736
Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkJyWPh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtqqnkH.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1bca404a-cff8-4080-a233-f3dc7aaefdaf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1bca404a-cff8-4080-a233-f3dc7aaefdaf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqqnkh (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbanodusexuy (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkjywph -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkjywph -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cf142465-b381-4dd2-a37c-bcae48bb2221}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d78b2a20-8770-4d59-ba0a-3134110addc9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cf142465-b381-4dd2-a37c-bcae48bb2221}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d78b2a20-8770-4d59-ba0a-3134110addc9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.98,85.255.112.123 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jkkJyWPh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hPWyJkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hPWyJkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqqnkH.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Temp\fxmedia3087.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-73586283-1229272821-839522115-1003\Dc4014.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\fcm\Local Settings\Temporary Internet Files\Content.IE5\LPKNXH2C\fxmedia3087[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\fcm\Local Settings\Temporary Internet Files\Content.IE5\ZV7B9GFY\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Jpililu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyXOHA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-02D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-457.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


I rebooted, and the Security Center dialog is now responsive to having Auto Update re-enabled. But the browser hijackings haven't cleared up. I went back to safe mode w/out networking and ran Anti-Malware on full scan overnight. It did not detect anything else.

I found only one hosts file, and it's clean. Should I post a HJT log?

Edited by colawars, 20 January 2009 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:34 AM

Posted 20 January 2009 - 07:04 PM

See if you can run Malwarebytes according to this procedure and post a fresh log:

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 20 January 2009 - 08:22 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/20/2009 7:38:16 PM
mbam-log-2009-01-20 (19-38-16).txt

Scan type: Quick Scan
Objects scanned: 60392
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxltyvkfrd.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.


DNS changer was back! MBAM claims to kill it, and it is absent from c:\windows\system32 ... but on reboot it is returned, as per this log of a repeat attempt:

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/20/2009 7:59:02 PM
mbam-log-2009-01-20 (19-59-02).txt

Scan type: Quick Scan
Objects scanned: 60193
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxltyvkfrd.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully


How do we figure out what keeps putting it there?
By the way, these two runs of MBAM were not run in safe mode.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:34 AM

Posted 21 January 2009 - 10:34 AM

MBAM is strongest in regular mode.


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 21 January 2009 - 02:18 PM

I ran SDFix in safe mode. It took about 15 minutes before requesting its reboot. At reboot, I returned to safe mode, where SDFix took over again right after login.
The screen has been sitting at "Please Be Patient As This Part May Take Several Minutes..." for about two hours. I don't think it's hung since it wrote a new .txt file to c:\sdfix 30 minutes ago (called TESTspreadbot2.TXT), but I wonder how long you think I ought to let it go before I interrupt it and give it another try.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:34 AM

Posted 21 January 2009 - 02:43 PM

Please give it up to 3 more hours. Thanks...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 21 January 2009 - 03:56 PM

It got done. Rebooted into XP's normal mode, logged in, and saw that the hijackings are still in effect.
Forgot to mention before: flash ads on many large sites (eg: nytimes.com) are replaced with ads for Vimax bleep pills. This too is still happening after SDFix.

Here's the log:

SDFix: Version 1.240
Run by fcm on Wed 01/21/2009 at 12:36 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 15:20:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\fcm\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\id Software\\Quake 4\\Quake4.exe"="C:\\Program Files\\id Software\\Quake 4\\Quake4.exe:LocalSubNet:Enabled:Quake 4"
"C:\\Program Files\\WinHTTrack\\WinHTTrack.exe"="C:\\Program Files\\WinHTTrack\\WinHTTrack.exe:*:Enabled:WinHTTrack Website Copier, Web Site mirroring for professional and private purposes"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent-Publisher\\bittorrent-publisher.exe"="C:\\Program Files\\BitTorrent-Publisher\\bittorrent-publisher.exe:*:Enabled:BitTorrent-Publisher"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"="C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe:*:Enabled:Gears of War"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\AssistantTools.com\\Mp3 Tag Assistant Pro\\Mp3 Tag Assistant Pro.exe"="C:\\Program Files\\AssistantTools.com\\Mp3 Tag Assistant Pro\\Mp3 Tag Assistant Pro.exe:*:Enabled:Mp3 Tag Assistant Pro"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Joost Plugin\\joostws.exe"="C:\\Program Files\\Joost Plugin\\joostws.exe:*:Enabled:joostws"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 21 Jun 2007 355 A..H. --- "C:\Boot.BAK"
Fri 27 Jul 2007 8 A.SHR --- "C:\WINDOWS\system32\19B0147454.sys"
Sun 22 Jul 2007 8 A.SHR --- "C:\WINDOWS\system32\9871555AD1.sys"
Sun 5 Oct 2008 1,994 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 4 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Fri 3 Oct 2008 5,762 ...HR --- "C:\Documents and Settings\fcm\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!



#8 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 21 January 2009 - 04:08 PM

And MBAM finds the DNS changer again.

Files Infected:
C:\WINDOWS\system32\gaopdxltyvkfrd.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.



#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:34 AM

Posted 21 January 2009 - 04:12 PM

Very important...

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Next...
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 22 January 2009 - 10:18 AM

Backed up reg.
SAS site is blocked from infected computer; downloaded SAS and manual definitions updates 3720/1694 via laptop, transferred, installed, ran.
Took 15 hrs. Here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2009 at 08:36 AM

Application Version : 4.25.1012

Core Rules Database Version : 3720
Trace Rules Database Version: 1694

Scan type : Complete Scan
Total Scan Time : 15:38:30

Memory items scanned : 240
Memory threats detected : 0
Registry items scanned : 7835
Registry threats detected : 0
File items scanned : 574527
File threats detected : 71

Rogue.XP Protector 2009
C:\Program Files\THUMBSVIEWER

Adware.Tracking Cookie
.yieldmanager.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.yieldmanager.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
banners.blogads.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.ytcracker.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.ytcracker.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
optimize.indieclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.tns-counter.ru [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.list.ru [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.media.brandreachsys.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.media.brandreachsys.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
stats.sphere.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.media.mtvnservices.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.media.mtvnservices.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.uclick.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
eas.apm.emediate.eu [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
eas.apm.emediate.eu [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
www.burstnet.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
www.burstbeacon.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
ads.clicktoblue.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
observer.advertserve.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\fcm\Application Data\Mozilla\Firefox\Profiles\63pqvtl4.default\cookies.txt ]
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@ad.yieldmanager[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@adopt.specificclick[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@adrevolver[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@ads.revsci[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@advertising[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@apmebf[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@atdmt[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@burstnet[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@casalemedia[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@doubleclick[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@fastclick[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@media.adrevolver[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@msnportal.112.2o7[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@realmedia[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@specificclick[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@tacoda[2].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@tribalfusion[1].txt
D:\Users\fcm\AppData\Roaming\Microsoft\Windows\Cookies\Low\fcm@zedo[2].txt

Trojan.Downloader-Gen/Suspicious
D:\SOFTWARE\UTIL\SYNC TOOLS\FCLONE.EXE


When SAS wanted to reboot to complete its deletions, I let it reboot into XP's normal mode as opposed to safe mode. Was that right?

Hijacking has not been cured. MBAM and SAS sites are still blocked, windowsupdate.microsoft.com still points to google, vimax ads still replace real ads on many sites.

#11 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 22 January 2009 - 10:28 AM

And running MBAM in XP's normal mode continues to find and again claims to delete a DNS changer.

Files Infected:
C:\WINDOWS\system32\gaopdxltyvkfrd.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.


But I checked before running and that file was not visible in \system32 (I have hidden & system files set to be visible). MBAM on subsequent quick scans does not find the file again until after reboot.

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:34 AM

Posted 22 January 2009 - 11:16 AM

You have a very tough infection...

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 22 January 2009 - 11:43 AM

SmitFraudFix v2.391

Scan done at 11:33:39.28, Thu 01/22/2009
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AutoMate 6\AMTS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\AutoMate 6\AMEM.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\fcm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Software Designs\KbStart\KbStart.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\fcm


C:\Temp


C:\Documents and Settings\fcm\Application Data


Start Menu


C:\DOCUME~1\fcm\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS



Scanning for wininet.dll infection


End



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 23 January 2009 - 08:25 PM

Hello.

Please reboot your computer and check if this file exists:

C:\WINDOWS\system32\gaopdxltyvkfrd.dll<- This one.

You can also do a search for that file name if you don't want to navigate to the system32 folder.

Tell me if it exists.

Next... Please update MBAM and re-run it (full scan) please and post me the log after it's complete.

How is your computer so far? Can you access any sites without being redirected or are you still being redirected?
Can you connect to this website properly? That website is just Microsoft I just want to know if you can connect.

Also run the following rootkit scan please to make sure there isn't anything going on regarding rootkits..

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Answers to ALL my questions
-New MBAM log
-GMER log


With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 colawars

colawars
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 23 January 2009 - 11:43 PM

Hi extremeboy, thanks for helping!

Before I saw your post, I'd been trying to find that gao*.dll file, and could not see it in the place MBAM had been finding it repeatedly. Several times I rebooted, looked for the file, didn't see it, let MBAM detect and delete it, ran MBAM again and observed that it did not detect the file any more, reboot, repeat.

On a recent boot, I let MBAM auto-update (not sure why this worked, since their web servers are blocked -- I guess they have a workaround?)
I ran MBAM again in quick mode, and it found the gao*.dll and two new detections:

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600 Service Pack 3

1/23/2009 9:48:42 PM
mbam-log-2009-01-23 (21-48-42).txt

Scan type: Quick Scan
Objects scanned: 61717
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxltyvkfrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxhbocpjkd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

...maybe the new detections were because of an update to MBAM's definitions?

I rebooted and noticed two things:
> No pages from ANY servers will load in FF or IE. DNS seems to be completely broken. I can ping known IP addresses and they reply, so it seems like only DNS.
> My taskbar clock had changed to 24-hour time

Then I saw your post, ran GMER 1.0.14.14536, and it sees a service "system32\drivers\gaopdxhbocpijkd.sys" which it identifies as hidden and displays in red. Here's the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-23 23:17:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sput.sys ZwCreateKey [0xF74D90E0]
SSDT sput.sys ZwEnumerateKey [0xF74F6CA2]
SSDT sput.sys ZwEnumerateValueKey [0xF74F7030]
SSDT sput.sys ZwOpenKey [0xF74D90C0]
SSDT sput.sys ZwQueryKey [0xF74F7108]
SSDT sput.sys ZwQueryValueKey [0xF74F6F88]
SSDT sput.sys ZwSetValueKey [0xF74F719A]

INT 0x62 ? 8A990BF8
INT 0x63 ? 8A990BF8
INT 0x73 ? 8A766BF8
INT 0x82 ? 8A990BF8
INT 0x94 ? 8A766BF8
INT 0xA4 ? 8A766BF8
INT 0xB4 ? 8A921BF8
INT 0xB4 ? 8A766BF8
INT 0xB4 ? 8A766BF8
INT 0xB4 ? 8A921BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB5F8F8C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB5F8F8F0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB5F8F855]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB5F8F881]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB5F8F91A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB5F8F8D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB5F8F86B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB5F8F8AD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB5F8F930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB5F8F904]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP B5F8F908 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP B5F8F8C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B5F8F934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B5F8F91E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B5F8F8D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP B5F8F8B1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP B5F8F885 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP B5F8F859 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP B5F8F8F4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP B5F8F86F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? sput.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9D238AC 5 Bytes JMP 8A7661D8
.text ahqdg7hg.SYS B9C92384 1 Byte [ 20 ]
.text ahqdg7hg.SYS B9C92386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ahqdg7hg.SYS B9C923AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ahqdg7hg.SYS B9C923C4 3 Bytes [ 00, 00, 00 ]
.text ahqdg7hg.SYS B9C923C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01960000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01960F77
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01960F92
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0196006C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01960FAF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0196005B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01960F49
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01960091
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01960F24
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 019600C7
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 019600D8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01960FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01960025
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01960F66
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0196004A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01960FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 019600AC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0195001B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01950047
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0195000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01950FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01950F8A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01950FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01950FAF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ B5, 89 ]
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01950036
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01930000
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F1F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B8
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700DD
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F30
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F7C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F63
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F7E
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30058
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F9B
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F37
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30F48
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300C6
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E300B5
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E300E1
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E30047
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E30073
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E30FC0
.text C:\WINDOWS\system32\lsass.exe[652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E3009A
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E20FAF
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E20FC0
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E20058
.text C:\WINDOWS\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E20047
.text C:\WINDOWS\system32\lsass.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025B0F6A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025B0F8F
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025B0069
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025B0058
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025B0FC0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025B007A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025B0F3E
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025B0F06
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025B0095
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025B00BA
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 025B003D
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 025B001B
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 025B0F59
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 025B0FD1
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 025B002C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025B0F17
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 025A0011
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 025A0F80
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 025A0FCA
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 025A0FE5
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 025A003D
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 025A0F9B
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 7A, 8A ]
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 025A002C
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F41
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F5C
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0036
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0F83
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0F13
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F24
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0EDD
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0076
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DD0ECC
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DD0F94
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DD005B
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DD0EF8
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DC0025
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DC0F8D
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DC0F9E
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DC0FAF
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FC, 88 ]
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03AC0FEF
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03AC0FA6
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03AC009B
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03AC0080
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03AC006F
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03AC0039
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03AC00DD
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03AC00C2
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03AC0F5F
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03AC00F8
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03AC0F4E
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03AC0054
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03AC0FDE
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03AC0F8B
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03AC0FCD
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03AC0014
.text C:\WINDOWS\System32\svchost.exe[984] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 03AC0F7A
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03AA0036
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03AA0F97
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03AA0025
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03AA000A
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 03AA0FB2
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03AA0FEF
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03AA0FC3
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ CA, 8B ]
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03AA0FD4
.text C:\WINDOWS\System32\svchost.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03A80000
.text C:\WINDOWS\System32\svchost.exe[984] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03AB0000
.text C:\WINDOWS\System32\svchost.exe[984] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03AB0025
.text C:\WINDOWS\System32\svchost.exe[984] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03AB0FEF
.text C:\WINDOWS\System32\svchost.exe[984] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03AB0FDE
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F70
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800F81
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080005B
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F3F
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800091
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800EF8
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F13
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800EE7
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800FB9
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00800080
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0080002F
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00800F2E
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F0F83
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F0F9E
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007F0FAF
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9F, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0036
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F4D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F5E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC002C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F79
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0F94
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F26
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC006E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0EE6
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F01
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC009A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC005D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC0FAF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC0089
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DB0047
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DB009F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DB0036
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DB001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DB008E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DB0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DB0073
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DB0062
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA008C
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F97
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0065
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0043
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F72
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00AE
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F46
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F57
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA00FA
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0054
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA009D
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA0028
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA00D5
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80F8A
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80051
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C90FCD
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C9001E
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03A70FEF
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03A70051
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03A70036
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03A70F68
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03A70F79
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03A70FAF
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03A70073
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03A70062
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03A70EE1
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03A70EFC
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03A70EC6
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03A70F94
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03A70FD4
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03A70F41
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03A7001B
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03A7000A
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 03A70084
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03A5004A
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03A50FCD
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03A50FEF
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03A50025
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 03A5008A
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03A50000
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03A50FDE
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C5, 8B ]
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03A50065
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03A60FEF
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03A60000
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03A6001B
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03A6002C
.text C:\WINDOWS\Explorer.EXE[1696] SHELL32.dll!SHFileOperationW 7CA7083C 5 Bytes JMP 01831102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\Explorer.EXE[1696] ws2_32.dll!socket 71AB4211 5 Bytes JMP 019E0000
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD007A
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0069
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0058
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0047
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FC0
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00AD
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD009C
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F4A
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD00E3
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DD0F39
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DD0011
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DD008B
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DD0FD1
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DD0022
.text C:\WINDOWS\system32\svchost.exe[1964] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DD00C8
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DC0047
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DC0FAF
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DC001B
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DC0FC0
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DC0FD1
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FC, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DC0058
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F5A
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F6B
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F86
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F97
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B007E
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F2C
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00B4
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F1B
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B00C5
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F49
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0099
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B007D
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[3148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A9212D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74FF6D0] sput.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7503708] sput.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DA046] sput.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DA142] sput.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DA0C4] sput.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DA7CE] sput.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DA6A4] sput.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A7662D8
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlInitUnicodeString] 000000A5
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!swprintf] 000000E5
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeSetEvent] 000000F1
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000071
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000D8
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00000031
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmFreeMappingAddress] 00000015
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000004
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 000000C7
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmUnmapIoSpace] 00000023
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 000000C3
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IofCompleteRequest] 00000018
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 00000096
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IofCallDriver] 00000005
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 0000009A
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000007
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000012
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoDetachDevice] 00000080
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeWaitForSingleObject] 000000E2
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInitializeEvent] 000000EB
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeCancelTimer] 00000027
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000B2
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000075
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000009
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoQueueWorkItem] 00000083
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmMapIoSpace] 0000002C
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0000001A
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoReportDetectedDevice] 0000001B
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0000006E
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0000005A
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000000A0
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00000052
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 0000003B
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 000000D6
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!sprintf] 000000B3
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00000029
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ObfDereferenceObject] 000000E3
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0000002F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000084
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ZwClose] 00000053
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 000000D1
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000000
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 000000ED
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 00000020
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoCreateDevice] 000000FC
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B1
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0000005B
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000006A
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ZwOpenKey] 000000CB
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 000000BE
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoStartTimer] 00000039
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInitializeTimer] 0000004A
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoInitializeTimer] 0000004C
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInitializeDpc] 00000058
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInitializeSpinLock] 000000CF
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoInitializeIrp] 000000D0
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ZwCreateKey] 000000EF
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AA
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 000000FB
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ZwSetValueKey] 00000043
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeInsertQueueDpc] 0000004D
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00000033
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoStartPacket] 00000085
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 00000045
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000F9
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoFreeMdl] 00000002
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmUnlockPages] 0000007F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 00000050
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 0000003C
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 0000009F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000A8
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000051
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoStartNextPacket] 000000A3
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeBugCheckEx] 00000040
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeSetTimer] 00000092
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!_allmul] 0000009D
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000038
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!_except_handler3] 000000F5
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!PoSetPowerState] 000000BC
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000B6
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000DA
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000021
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!_aulldiv] 00000010
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!strstr] 000000FF
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!_strupr] 000000F3
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeQuerySystemTime] 000000D2
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000CD
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!KeTickCount] 0000000C
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000013
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoDeleteDevice] 000000EC
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000005F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000097
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAllocateIrp] 00000044
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoAllocateMdl] 00000017
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000C4
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000A7
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 0000007E
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 0000003D
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00000064
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoFreeIrp] 0000005D
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!IoFreeWorkItem] 00000019
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!RtlCompareMemory] 00000060
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!PoCallDriver] 00000081
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!memmove] 0000004F
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[ntoskrnl.exe!MmHighestUserAddress] 000000DC
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\ahqdg7hg.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A98E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)

Device \FileSystem\Fastfat \FatCdrom 8A1C51F8

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\sptd \Device\1520539568 sput.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A7651F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A91F1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A91F1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A91F1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A91F1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A7651F8
Device \Driver\usbuhci \Device\USBPDO-2 8A7651F8
Device \Driver\usbuhci \Device\USBPDO-3 8A7651F8
Device \Driver\usbehci \Device\USBPDO-4 8A7381F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9911F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CF142465-B381-4DD2-A37C-BCAE48BB2221} 8A5821F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9911F8
Device \Driver\Cdrom \Device\CdRom0 8A6D43E8
Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000090 8A50F1F8
Device \Driver\usbstor \Device\00000090 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5821F8
Device \Driver\usbstor \Device\00000091 8A50F1F8
Device \Driver\usbstor \Device\00000091 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetbiosSmb 8A5821F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbstor \Device\00000096 8A50F1F8
Device \Driver\usbstor \Device\00000096 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\PCI_PNP2068 \Device\0000005d sput.sys
Device \Driver\PCI_PNP2068 \Device\0000005d sput.sys

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbstor \Device\00000097 8A50F1F8
Device \Driver\usbstor \Device\00000097 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbuhci \Device\USBFDO-0 8A7651F8
Device \Driver\usbuhci \Device\USBFDO-1 8A7651F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A51D1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A7651F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A51D1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A7651F8
Device \Driver\usbehci \Device\USBFDO-4 8A7381F8
Device \Driver\Ftdisk \Device\FtControl 8A9911F8
Device \Driver\usbstor \Device\0000008a 8A50F1F8
Device \Driver\usbstor \Device\0000008a sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iteatapi \Device\Scsi\iteatapi1 8A98F1F8
Device \Driver\ahqdg7hg \Device\Scsi\ahqdg7hg1Port5Path0Target0Lun0 8A7291F8
Device \Driver\ahqdg7hg \Device\Scsi\ahqdg7hg1Port5Path0Target0Lun0 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\ahqdg7hg \Device\Scsi\ahqdg7hg1 8A7291F8
Device \Driver\ahqdg7hg \Device\Scsi\ahqdg7hg1 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fastfat \Fat 8A1C51F8

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8A5111F8

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxhbocpjkd.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxhbocpjkd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxhbocpjkd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxltyvkfrd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1856165850
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1712128269
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0x30 0xDC 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE9 0x8A 0x61 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xBB 0xE8 0xE8 ...
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxhbocpjkd.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxhbocpjkd.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxltyvkfrd.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE9 0x8A 0x61 0x2D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xBB 0xE8 0xE8 ...

---- EOF - GMER 1.0.14 ----


I just installed the 1.33.0.0 version of MBAM with its 1.1673.0.0 manual rules update. I am setting it on a full scan, which will probably take all night again. Let me know if there's anything else I should look at in the meantime.

thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users