Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware/Rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 Phuxing

Phuxing

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 27 August 2009 - 05:20 AM

Ok well i was unable to run any kind of hijackthis dds RootRepeal ( I can get a rootkit Unhooker report though).


It started out as the computer hanging up a lot. So i fired up the ole Symantec corp edition and it found some files related to
sejalamo.dll

RootRepeal showed that i had a MBR rootkit.


I managed to take a screenshot of as far as my hijackthis scan will get.
I would just like to say i've dealt with some nasty ones like virtumonde but this one its kinda sexy. So far i've seen its capable of disabling regedit. Deletes system restore points leaving one for itself. Can disable net completely. Disables all forms of anti-spyware i've tried and most rootkit unhookers. Even online virus scanners. Pics done uploading so i'll stop giving em credit^^

Posted Image
RkUnhook report

>SSDT State
NtAlertResumeThread
Actual Address 0x840FE200
Hooked by: Unknown module filename

NtAlertThread
Actual Address 0x840F5380
Hooked by: Unknown module filename

NtAllocateVirtualMemory
Actual Address 0x8406CDC0
Hooked by: Unknown module filename

NtConnectPort
Actual Address 0x8412ABF0
Hooked by: Unknown module filename

NtCreateKey
Actual Address 0xBA10887E
Hooked by: Lbd.sys

NtCreateMutant
Actual Address 0x8404A418
Hooked by: Unknown module filename

NtCreateThread
Actual Address 0x8411B4F0
Hooked by: Unknown module filename

NtDeleteValueKey
Actual Address 0xAD285CB0
Hooked by: C:\Program Files\Symantec\SYMEVENT.SYS

NtEnumerateKey
Actual Address 0xB9EC6CA2
Hooked by: spwc.sys

NtEnumerateValueKey
Actual Address 0xB9EC7030
Hooked by: spwc.sys

NtFreeVirtualMemory
Actual Address 0x84064A60
Hooked by: Unknown module filename

NtImpersonateAnonymousToken
Actual Address 0x8404A2B8
Hooked by: Unknown module filename

NtImpersonateThread
Actual Address 0x840FE678
Hooked by: Unknown module filename

NtMapViewOfSection
Actual Address 0x840F3D30
Hooked by: Unknown module filename

NtOpenEvent
Actual Address 0x8404A4F0
Hooked by: Unknown module filename

NtOpenKey
Actual Address 0xB9EA80C0
Hooked by: spwc.sys

NtOpenProcessToken
Actual Address 0x8411A0E0
Hooked by: Unknown module filename

NtOpenThreadToken
Actual Address 0x8403D338
Hooked by: Unknown module filename

NtQueryKey
Actual Address 0xB9EC7108
Hooked by: spwc.sys

NtQueryValueKey
Actual Address 0x8413AE58
Hooked by: Unknown module filename

NtResumeThread
Actual Address 0x84106190
Hooked by: Unknown module filename

NtSetContextThread
Actual Address 0x8403D748
Hooked by: Unknown module filename

NtSetInformationProcess
Actual Address 0x84111DC0
Hooked by: Unknown module filename

NtSetInformationThread
Actual Address 0x8403D9B0
Hooked by: Unknown module filename

NtSetValueKey
Actual Address 0xAD285F10
Hooked by: C:\Program Files\Symantec\SYMEVENT.SYS

NtSuspendProcess
Actual Address 0x8404A5C8
Hooked by: Unknown module filename

NtSuspendThread
Actual Address 0x8403EF50
Hooked by: Unknown module filename

NtTerminateProcess
Actual Address 0x84114FD0
Hooked by: Unknown module filename

NtTerminateThread
Actual Address 0x840F42C8
Hooked by: Unknown module filename

NtUnmapViewOfSection
Actual Address 0x84066B28
Hooked by: Unknown module filename

NtWriteVirtualMemory
Actual Address 0x8412AE70
Hooked by: Unknown module filename

>Shadow
>Processes
>Drivers
>Stealth
Unknown page with executable code
Address: 0x83A01B7D
Size: 1155
Unknown page with executable code
Address: 0x83A13F2C
Size: 212
>Files
>Hooks
ntkrnlpa.exe+0x0002A0D4, Type: Inline - RelativeJump at address 0x805010D4 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002A19C, Type: Inline - RelativeJump at address 0x8050119C hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002A484, Type: Inline - RelativeJump at address 0x80501484 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x00069C2A, Type: Inline - RelativeJump at address 0x80540C2A hook handler located in [ntkrnlpa.exe]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x004B95C4 hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1072]SPBBCSvc.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1088]svchost.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[1088]svchost.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[1088]svchost.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[1088]svchost.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[1088]svchost.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[1088]svchost.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x0054387C hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1524]Rtvscan.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1576]svchost.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[1576]svchost.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[1576]svchost.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[1576]svchost.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[1576]svchost.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[1576]svchost.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[1748]svchost.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[1748]svchost.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[1748]svchost.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[1748]svchost.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[1748]svchost.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[1748]svchost.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[1792]explorer.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[1792]explorer.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[1792]explorer.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[1792]explorer.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[1792]explorer.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[1792]explorer.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[1792]explorer.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[1792]explorer.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[1792]explorer.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x01001428 hook handler located in [unknown_code_page]
[1792]explorer.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1792]explorer.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1792]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1792]explorer.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1792]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1852]DefWatch.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[2168]wmpnetwk.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[2168]wmpnetwk.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[2168]wmpnetwk.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[2168]wmpnetwk.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[2168]wmpnetwk.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[2168]wmpnetwk.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x0100141C hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[2168]wmpnetwk.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x00418278 hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[236]ccSetMgr.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[2484]firefox.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[2484]firefox.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[2484]firefox.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[2484]firefox.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[2484]firefox.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[2484]firefox.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[2484]firefox.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[2484]firefox.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[2484]firefox.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[2560]alg.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[2560]alg.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[2560]alg.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[2692]ccApp.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[2692]ccApp.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[2692]ccApp.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[2692]ccApp.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[2692]ccApp.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[2692]ccApp.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[2692]ccApp.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[2692]ccApp.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[2692]ccApp.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[2700]VPTray.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[2700]VPTray.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[2700]VPTray.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[2700]VPTray.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[2700]VPTray.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[2700]VPTray.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[2700]VPTray.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[2700]VPTray.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[2700]VPTray.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->AdjustTokenPrivileges, Type: IAT modification at address 0x0041C4F4 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetExplicitEntriesFromAclA, Type: IAT modification at address 0x0041C4F0 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetFileSecurityW, Type: IAT modification at address 0x0041C4DC hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetSecurityDescriptorDacl, Type: IAT modification at address 0x0041C4FC hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetSecurityDescriptorGroup, Type: IAT modification at address 0x0041C4E8 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetSecurityDescriptorOwner, Type: IAT modification at address 0x0041C4D8 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->GetSecurityDescriptorSacl, Type: IAT modification at address 0x0041C4CC hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->InitializeSecurityDescriptor, Type: IAT modification at address 0x0041C4F8 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->IsTextUnicode, Type: IAT modification at address 0x0041C4EC hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->LookupAccountNameA, Type: IAT modification at address 0x0041C4E4 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->LookupAccountSidA, Type: IAT modification at address 0x0041C4E0 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->LookupPrivilegeValueA, Type: IAT modification at address 0x0041C4D4 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->OpenProcessToken, Type: IAT modification at address 0x0041C4D0 hook handler located in [unknown_code_page]
[3668]FI.exe-->advapi32.dll-->SetSecurityDescriptorDacl, Type: IAT modification at address 0x0041C4C8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->BackupRead, Type: IAT modification at address 0x0041C304 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->BackupSeek, Type: IAT modification at address 0x0041C2F8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->CloseHandle, Type: IAT modification at address 0x0041C3D8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->CreateFileA, Type: IAT modification at address 0x0041C3E8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->CreateFileW, Type: IAT modification at address 0x0041C314 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->CreateRemoteThread, Type: IAT modification at address 0x0041C318 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->DeviceIoControl, Type: IAT modification at address 0x0041C31C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->DuplicateHandle, Type: IAT modification at address 0x0041C320 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->ExitProcess, Type: IAT modification at address 0x0041C328 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->ExpandEnvironmentStringsA, Type: IAT modification at address 0x0041C32C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FileTimeToLocalFileTime, Type: IAT modification at address 0x0041C330 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FileTimeToSystemTime, Type: IAT modification at address 0x0041C334 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FindClose, Type: IAT modification at address 0x0041C338 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FindFirstFileExA, Type: IAT modification at address 0x0041C33C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FindNextFileA, Type: IAT modification at address 0x0041C340 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FlushFileBuffers, Type: IAT modification at address 0x0041C344 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FormatMessageA, Type: IAT modification at address 0x0041C3C8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x0041C2DC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetACP, Type: IAT modification at address 0x0041C310 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetBinaryTypeW, Type: IAT modification at address 0x0041C2F0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCommandLineA, Type: IAT modification at address 0x0041C360 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCommProperties, Type: IAT modification at address 0x0041C35C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCompressedFileSizeW, Type: IAT modification at address 0x0041C364 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetComputerNameA, Type: IAT modification at address 0x0041C368 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetConsoleMode, Type: IAT modification at address 0x0041C36C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetConsoleScreenBufferInfo, Type: IAT modification at address 0x0041C370 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetConsoleTitleA, Type: IAT modification at address 0x0041C374 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCPInfo, Type: IAT modification at address 0x0041C3CC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification at address 0x0041C378 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification at address 0x0041C37C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification at address 0x0041C380 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetDateFormatA, Type: IAT modification at address 0x0041C384 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetDiskFreeSpaceExA, Type: IAT modification at address 0x0041C388 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetDriveTypeA, Type: IAT modification at address 0x0041C38C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetEnvironmentStrings, Type: IAT modification at address 0x0041C390 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetEnvironmentVariableA, Type: IAT modification at address 0x0041C394 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetExitCodeProcess, Type: IAT modification at address 0x0041C398 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetFileAttributesA, Type: IAT modification at address 0x0041C39C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetFileInformationByHandle, Type: IAT modification at address 0x0041C3A0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetFileType, Type: IAT modification at address 0x0041C3A4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetFullPathNameA, Type: IAT modification at address 0x0041C3A8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetLocalTime, Type: IAT modification at address 0x0041C3B0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetLogicalDriveStringsA, Type: IAT modification at address 0x0041C3B4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x0041C3B8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification at address 0x0041C3BC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0041C3C0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetShortPathNameA, Type: IAT modification at address 0x0041C3C4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetShortPathNameW, Type: IAT modification at address 0x0041C2E0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification at address 0x0041C2FC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification at address 0x0041C308 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetStringTypeW, Type: IAT modification at address 0x0041C2F4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification at address 0x0041C34C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetTempFileNameA, Type: IAT modification at address 0x0041C358 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetTempPathA, Type: IAT modification at address 0x0041C3D4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetTickCount, Type: IAT modification at address 0x0041C348 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetVersion, Type: IAT modification at address 0x0041C3D0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification at address 0x0041C3EC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GetVolumeInformationA, Type: IAT modification at address 0x0041C3F0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GlobalAlloc, Type: IAT modification at address 0x0041C3F4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GlobalFree, Type: IAT modification at address 0x0041C3F8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GlobalMemoryStatus, Type: IAT modification at address 0x0041C3FC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GlobalReAlloc, Type: IAT modification at address 0x0041C400 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->GlobalSize, Type: IAT modification at address 0x0041C404 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification at address 0x0041C408 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041C410 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0041C414 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->LocalAlloc, Type: IAT modification at address 0x0041C418 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->LocalFree, Type: IAT modification at address 0x0041C41C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->LocalSize, Type: IAT modification at address 0x0041C420 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcatA, Type: IAT modification at address 0x0041C2EC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcatW, Type: IAT modification at address 0x0041C2E8 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcmpA, Type: IAT modification at address 0x0041C30C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcmpiA, Type: IAT modification at address 0x0041C354 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcmpiW, Type: IAT modification at address 0x0041C3E4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcpyA, Type: IAT modification at address 0x0041C3E0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcpynA, Type: IAT modification at address 0x0041C3DC hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcpynW, Type: IAT modification at address 0x0041C2D4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrcpyW, Type: IAT modification at address 0x0041C350 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrlenA, Type: IAT modification at address 0x0041C2E4 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->lstrlenW, Type: IAT modification at address 0x0041C300 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification at address 0x0041C424 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->OpenProcess, Type: IAT modification at address 0x0041C428 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->RaiseException, Type: IAT modification at address 0x0041C42C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->ReadConsoleA, Type: IAT modification at address 0x0041C430 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->ReadFile, Type: IAT modification at address 0x0041C434 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->ReadProcessMemory, Type: IAT modification at address 0x0041C438 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetConsoleCtrlHandler, Type: IAT modification at address 0x0041C440 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetConsoleCursorPosition, Type: IAT modification at address 0x0041C444 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetConsoleMode, Type: IAT modification at address 0x0041C448 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetConsoleTextAttribute, Type: IAT modification at address 0x0041C44C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetConsoleTitleA, Type: IAT modification at address 0x0041C450 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetEnvironmentVariableA, Type: IAT modification at address 0x0041C454 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x0041C458 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetFilePointer, Type: IAT modification at address 0x0041C45C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetHandleCount, Type: IAT modification at address 0x0041C460 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->SetProcessShutdownParameters, Type: IAT modification at address 0x0041C468 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->Sleep, Type: IAT modification at address 0x0041C46C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->TlsAlloc, Type: IAT modification at address 0x0041C470 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->TlsFree, Type: IAT modification at address 0x0041C474 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->TlsGetValue, Type: IAT modification at address 0x0041C478 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->TlsSetValue, Type: IAT modification at address 0x0041C47C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification at address 0x0041C480 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification at address 0x0041C484 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->VirtualFree, Type: IAT modification at address 0x0041C488 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->WaitForSingleObject, Type: IAT modification at address 0x0041C48C hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification at address 0x0041C490 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->WriteConsoleA, Type: IAT modification at address 0x0041C494 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->WriteFile, Type: IAT modification at address 0x0041C2D0 hook handler located in [unknown_code_page]
[3668]FI.exe-->kernel32.dll-->WriteProcessMemory, Type: IAT modification at address 0x0041C2D8 hook handler located in [unknown_code_page]
[3668]FI.exe-->shell32.dll-->SHGetDesktopFolder, Type: IAT modification at address 0x0041C510 hook handler located in [unknown_code_page]
[3668]FI.exe-->shell32.dll-->SHGetFileInfoA, Type: IAT modification at address 0x0041C50C hook handler located in [unknown_code_page]
[3668]FI.exe-->shell32.dll-->SHGetMalloc, Type: IAT modification at address 0x0041C508 hook handler located in [unknown_code_page]
[3668]FI.exe-->shell32.dll-->SHGetSpecialFolderLocation, Type: IAT modification at address 0x0041C504 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->CharUpperW, Type: IAT modification at address 0x0041C4C0 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->EnumThreadWindows, Type: IAT modification at address 0x0041C4BC hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->FindWindowA, Type: IAT modification at address 0x0041C4B8 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x0041C4B4 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->GetWindowTextA, Type: IAT modification at address 0x0041C4B0 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->IsWindowVisible, Type: IAT modification at address 0x0041C4AC hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->MessageBoxA, Type: IAT modification at address 0x0041C49C hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->SetForegroundWindow, Type: IAT modification at address 0x0041C4A8 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->ShowWindow, Type: IAT modification at address 0x0041C4A4 hook handler located in [unknown_code_page]
[3668]FI.exe-->user32.dll-->wsprintfA, Type: IAT modification at address 0x0041C4A0 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x0041E1EC hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[3780]ccEvtMgr.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - RelativeJump at address 0x77DEA7B1 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B6 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDecrypt, Type: Inline - SEH at address 0x77DEA7B7 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - RelativeJump at address 0x77DEA544 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA549 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptDestroyKey, Type: Inline - SEH at address 0x77DEA54A hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - RelativeJump at address 0x77DF1558 hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155D hook handler located in [unknown_code_page]
[3936]mspaint.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - SEH at address 0x77DF155E hook handler located in [unknown_code_page]
[3936]mspaint.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[3936]mspaint.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[3936]mspaint.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[3936]mspaint.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[3936]mspaint.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[3936]mspaint.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[3936]mspaint.exe-->user32.dll-->TranslateMessage, Type: IAT modification at address 0x01001C5C hook handler located in [unknown_code_page]
[3936]mspaint.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[3936]mspaint.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[672]services.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[672]services.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[672]services.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[672]services.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[672]services.exe-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification at address 0x0100130C hook handler located in [unknown_code_page]
[672]services.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[672]services.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[824]spoolsv.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[824]spoolsv.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[824]spoolsv.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[824]spoolsv.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[824]spoolsv.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[824]spoolsv.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
[892]svchost.exe-->gdi32.dll+0x00007CE3, Type: Inline - RelativeCall at address 0x77F17CE3 hook handler located in [1696CCA0.x86.dll]
[892]svchost.exe-->gdi32.dll+0x00007EC1, Type: Inline - RelativeCall at address 0x77F17EC1 hook handler located in [1696CCA0.x86.dll]
[892]svchost.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump at address 0x77F17EC6 hook handler located in [gdi32.dll]
[892]svchost.exe-->gdi32.dll-->TextOutW, Type: Inline - RelativeJump at address 0x77F17CE8 hook handler located in [gdi32.dll]
[892]svchost.exe-->user32.dll+0x000105CD, Type: Inline - RelativeCall at address 0x77D505CD hook handler located in [1696CCA0.x86.dll]
[892]svchost.exe-->user32.dll-->DrawTextExW, Type: Inline - RelativeJump at address 0x77D505D2 hook handler located in [user32.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Uploaded in case i was supposed to.

Attached Files


Edited by Phuxing, 27 August 2009 - 05:25 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 10 September 2009 - 05:32 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon your reply another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please reply with the update and someone will be with you shortly.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:03 PM

Posted 20 September 2009 - 04:25 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users