Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS detected but not removed


  • This topic is locked This topic is locked
14 replies to this topic

#1 friskysman

friskysman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 31 August 2009 - 09:16 PM

The problem is with my wife’s computer so I’m not 100 percent familiar with her specs, but she’s running Windows XP Home edition on a Gateway 450ROG. The issues first started when her MacAfee subscription ended a month or two ago. I get the software through work for free and I’ve had problems in the past updating an out-of-date subscription so I took a little while to get to it. Finally yesterday I got the McAfee install file and went through the process to reinstall it (without installing the old version…just wanted to see if that would work). Everything seemed normal but during the middle of that, something popped up about updating to the newest IE, so I went ahead and did that. Yes, I had McAfee and IE installing at the same time. Probably not the smartest thing I’ve ever done.

When that was all done, I rebooted and it came up with my wife’s wallpaper but no deskstop icons or anything. I let it sit for a while thinking maybe it was just taking a while to finish with whatever it had been doing before but it never went anywhere from there. So that’s problem number one. I ctrl-alt-del into task manager. From there I can see that “explorer.exe” isn’t running so I manually start it and it comes up just fine. From there, I do a virus scan and it finds 8 problems. Six of those it fixes but 2 remain. One, called twext.exe, allows me to remove it so I do. The second is a file called “winlogon.exe” and it doesn’t give me any option at all.

So I reboot thinking I’ll try another scan and see what it lets me do. Comes up with just the wallpaper again. Try to manually start explorer and it gives me a blue screen error. We’ll call this problem 2a. Reboot and get back to the wallpaper and task manager. I try to start McAfee from there but can’t find the file that needs to be opened to do a scan. So now I want to start in safe mode and see what I can do from there but holding down F8 during reboot doesn’t get me there. So I go back to task manager and open msconfig (I know, it’s like you’re watching a horror movie right now and you’re yelling at the screen, “No no!!”) I go to the Boot.ini tab and, yep, I change it to boot in safe mode. Ugh. Reboot and now the safe mode options come up but no matter what I do, it gives me the blue screen error. And there’s problem 2.

Call my dad and he points out that he once gave me a Bart PE CD. I scrounge that up and boot to the CD. So now I’m in Bart but, not being an expert (obviously), I’m not sure what all I can do so I just start looking around. I try running an up-to-date version of McAfee Stinger but it doesn’t find anything. I put Spybot on a USB drive and install that. It runs and finds a few things, among them win32.agent.pz and win32.zbot. I’m able to remove all but two files under win32.zbot which were user.dll and something else .dll. Darn my memory. Anyway, when I scan again, nothing is found. Still gives me the blue screen error though when I try to start up in any mode. Then I read about how bad it was to change the boot.ini file. Oops. But it gives me the idea to rename the file to boot.ini.bak, the idea being this will let me start up and then I can change the file name back and fix it in msconfig. I do this and YES it starts up. Wallpaper comes up but within seconds, it logs me off to the user select screen. Choose user1 and it gives me the start up music and immediately logs me off again. Problem 3. I look up this problem and it seems pretty common. The solution is as follows:

"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Value: Userinit
Data: %system32%\wsaupdater.exe
"

%system32% represents the path to the System32 folder. For example, if the path is C:\Windows\System32, then the data would be: "C:\Windows\System32\wsaupdater.exe"

Instead of "wsaupdater.exe", the data should contain "userinit.exe,".
Using the example above, the data would be "C:\Windows\System32\userinit.exe,"
(!Note! the comma following the file path information.)

Using the XP's recovery console, copy userinit.exe to wsaupdater.exe to allow log on capability to be restored, and correct the registry data manually.

In the following instructions, C:\Windows\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
When you are prompted to do so, type the Administrator password.

If the administrator password is blank (which is likely the case if Windows XP was preinstalled by your computer manufacturer), just press ENTER.

You should now be in the Windows installation folder ("C:\Windows").
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

"
cd system32
copy userinit.exe wsaupdater.exe
exit
"
At this time, remove the startup floppy or CD-ROM from your system, and boot into Windows XP. Log on to the system using an account with administrator-level privileges, and edit the registry using this information. It is recommeded that a registry backup be created prior to continuing.

Click start, then run. Enter

regedit

and click OK. Using RegEdit, expand

HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon

Locate Userinit in the value column, right-click this item, and choose modify. Replace
"wsaupdater.exe" with "userinit.exe," (do not use quotes, and ensure the trailing comma is present as shown) and click OK.
Exit RegEdit.

Restart your computer, and log on to the system using an account with administrator-level privileges.

Go to My Computer, then to the System32 folder (usually C:, then Windows, then System32). If Explorer prompts that removing files from these areas is not recommended, click to continue. Locate and remove wsaupdater.exe, and delete this file.

http://www.ntcompatible.com/thread31505-1.html


Unfortunately I could not do all of that exactly because I don’t have a Windows XP CD that would allow me to get to the recovery console. But I did have the Bart PE CD which enabled me to access the System32 folder as well as the registry. So I manually followed those directions as best as I could and did this:

Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

Select the file named SOFTWARE (the file without any extensions), and click Open (Note: with this option, regedit would not let me access the C drive files, only the E drive (the Bart CD) and the D drive (flash drive), so I used Bart to copy the file to my flash drive and opened it from there)
Type a name for the hive that you've loaded now. (Example: MyXPHive)
Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

Double-click Userinit and set it's value correctly. Example: Set it's data as follows:
C:\Windows\System32\Userinit.exe,

(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)

After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it.
Quit BartPE and restart Windows. See if you're able to logon to your profile.

http://windowsxp.mvps.org/peboot.htm


Unfortunately, when I reboot, the logoff problem was still there. So, I was sort of uncertain about the userinit and wsaupdater files. I looked in the System32 folder and saw I had the userinit but not the wsaupdater. I had read that this problem stems from the wsaupdater file being deleted so, again, I tried to manually follow the instructions and using the explorer function of the Bart CD I made a copy of the userinit.exe file and renamed it wsaupdater.exe. Rebooted, same problem. At that point, 12 hours after the initial problem surfaced, it was time to go to bed.

Tonight I have mainly been concentrating on using Bart to save important files from the hard drive. I’ve now saved pretty much everything that my wife wants so I could do a reinstall of Windows…..if only we had a Windows XP Home CD. Her computer did not come with one. Short of being able to get that CD, I’m not sure what to do now. Any advice is appreciated.

Edited by friskysman, 31 August 2009 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 01 September 2009 - 05:59 PM

Well, it occurred this me this morning that perhaps when I ran regedit using the Bart disk, it was running from the CD and not the C drive. So I used the explorer function on the Bart CD to find regedit under the C drive and modified the userinit.exe file in that manner. Rebooted and whalla (is that spelled right?)!!! Boots to the desktop like it should and everything. Taking a quick look around, I don't think we're exactly back to normal yet. For one, I can't find the boot.ini file where I last left it and the boot.ini tab doesn't come up in msconfig. Right now I'm scanning with Spybot. It's not too far in but already found Win32Agent.pz. Anyway, I'll keep looking around and see what I can discover and update this thread accordingly. Any suggestions welcome, of course.

Edited by friskysman, 01 September 2009 - 06:00 PM.


#3 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 02 September 2009 - 08:17 AM

I’m starting to see the light at the end of the tunnel but I would still like a little advice from anyone who might have the knowledge. First, a quick update.

When I was finally able to boot up Windows yesterday, I began doing scans with Spybot and McAfee. Spybot found the aforementioned Win32.Agent.pz and was able to fix it. McAfee didn’t find anything (at first). I still had the issue with my boot.ini file but now I couldn’t find the one I had renamed and the boot.ini tab wasn’t showing up in msconfig. Did a little research and ended up going to "my computer…advanced…startup and recovery" and hit the “edit” button and it said there wasn’t a boot file, would I like to create it? Yes. Then I copied the information from the boot file on another computer, saved, reboot, and now I was no longer getting any errors whatsoever. Ran Windows update and it installed a couple things. Wanted to do a last scan with McAfee because I don’t really trust this thing yet. I forced an update with McAfee and it downloaded updates to the Security Agent and to VirusScan and rebooted. Then did a scan and went to bed. This morning I was dismayed to see it had discovered two problems, both instances of Generic Downloader.x!bcc. The files involved were RDL49.TMP.EXE and DARKSIDE[1].EXE. I was able to quarantine both of these but I’m not sure if I need to do anything more than that. I had to go to work so I ran another scan and will check it when I get home. Before I left, I looked in the log and wrote down the problem files that I’ve had over the last few days in addition to those just mentioned. Here they are:

Two instances of Aretemis!87B37A0CC349 with the files being RDL4B.TMP.EXE and 111_[1].exe

One instance of Artemis!72B39460C87B, file being INSTALL[1].EXE

Five instances of Spy-agent.bw!mem. I was able to remove or quarantine sdra64.exe, twex.exe and ntos.exe. Two other files, winlongon.exe and twext.exe presented problems. Twext.exe said “quarantine failed.” After the scan, it gave me an option to remove it so I did. Winlogon.exe I couldn’t do anything with and it was soon after finding that that I began to spiral into all the problems you have read about above. Currently, neither of these files are coming up during scans.

We’ll see what McAfee finds when I get home this evening, but even if it says it is clean, I am still having a problem trusting that this computer is truly clean. My main question for all of you is: is there a program or programs that I can run that will ensure that everything is okay now? And based on the problems I have had, is there anything you recommend I do in addition to what I’ve already done?

Thanks, everybody.

#4 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 02 September 2009 - 11:00 PM

I've been recently working through some problems on my wife's laptop (running Windows XP Home SP3) which are detailed in this thread: http://www.bleepingcomputer.com/forums/topic254116.html. I am starting a new thread because I've solved pretty much all of those problems and the remaining problem is quite simple to explain but I think solving it would be hampered by being part of such a convoluted mess that made up my last thread. I hope this is acceptable. If you want to look at what I've been through prior to this, you can check it out. But right now the main issue is that Malwarebytes' Anti-Malware is continually identifying "Rootkit.TDSS" but when I remove it and reboot, it is back. I can't say what the symptoms are aside from the computer running extremely slow. Since I've been through so many problems previous to this, I have not been using the computer for any normal operation and, therefore, don't know if anything else is being affected.

Here are two logs from the last two scans I did with MBAM. The first one details 19 problems, all of which were fixed but one, which is again detailed in the second log. After the second log, I ran the scan again and got the same result.


Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 5.1.2600 Service Pack 3

9/2/2009 8:06:06 PM
mbam-log-2009-09-02 (20-06-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133944
Time elapsed: 1 hour(s), 26 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmxjcxiwwk (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\logon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmqjpwmrqh.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\user1\Local Settings\Temp\kbiwkmswtnemuecb.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmboscqxwp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmxlyarssd.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\kbiwkmpkbftivm.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl4A.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


-----------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 5.1.2600 Service Pack 3

9/2/2009 9:38:27 PM
mbam-log-2009-09-02 (21-38-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133608
Time elapsed: 1 hour(s), 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmxjcxiwwk (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:35 PM

Posted 02 September 2009 - 11:16 PM

Hello and :thumbsup: to BleepingComputer.

You're not out of the woods quite yet. Let's see what we're looking at here.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 September 2009 - 05:48 PM

Thanks for your help, Blade. Here is the Root Repeal log:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 18:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBACD5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C35000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7A68000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_tp7hhgk1dtoqvzw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_umrd3ty59aoftd6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_xmyhxzclagrpylt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_158.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_owuggewxsgbcg96
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_z4sfmcnwh1hwsxj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Program Files\Yahoo! Games\FamilyFeud\FamilyFeud.exe:{A5152C30-2F2F-9BFE-66AB-731D4C293F2B}
Status: Visible to the Windows API, but not on disk.

Hidden Services
-------------------
Service Name: kbiwkmxjcxiwwk
Image Path: C:\WINDOWS\system32\drivers\kbiwkmpkbftivm.sys

==EOF==

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:35 PM

Posted 03 September 2009 - 06:06 PM

Is that MBAM entry still regenerating? You don't need to run a Full Scan. . . a Quick Scan should suffice.

~Blade

Edited by Blade Zephon, 03 September 2009 - 06:07 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 September 2009 - 07:43 PM

Yes, it's still showing up. I didn't take any action on it yet. Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 5.1.2600 Service Pack 3

9/3/2009 8:41:22 PM
mbam-log-2009-09-03 (20-40-45).txt

Scan type: Quick Scan
Objects scanned: 90945
Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmxjcxiwwk (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:35 PM

Posted 03 September 2009 - 07:53 PM

Try and remove it, reboot, and quick scan one more time. No need to post the log this time, just let me know if it shows up again or not.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 September 2009 - 08:25 PM

Yep, it showed up again.

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:35 PM

Posted 03 September 2009 - 08:31 PM

:thumbsup: Something else is causing it to regenerate, which is really weird. I won't bore you with why though. :flowers:

We need to do another ARK scan.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 September 2009 - 09:21 PM

I was prompted to scan immediately upon starting GMER. At the end of scanning, a warning said "GMER has found system modification cause by ROOTKIT activity." Here's the log:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-03 22:19:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF876587E] <-- ROOTKIT !!!
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8765BFE] <-- ROOTKIT !!!

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBAD2E4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBAD2E498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xBAD2E4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBAD2E597]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBAD2E5C3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBAD2E631]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBAD2E61B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBAD2E52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBAD2E65D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAD2E56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xBAD2E470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xBAD2E484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBAD2E4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBAD2E699]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBAD2E605]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBAD2E5EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBAD2E5AD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xBAD2E685]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xBAD2E671]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBAD2E4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBAD2E4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBAD2E559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBAD2E647]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBAD2E540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBAD2E514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP BAD2E518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP BAD2E571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP BAD2E5F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP BAD2E4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP BAD2E4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP BAD2E69D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP BAD2E635 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP BAD2E474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP BAD2E502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP BAD2E544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP BAD2E52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP BAD2E4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP BAD2E55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP BAD2E488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP BAD2E661 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP BAD2E61F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP BAD2E5C7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP BAD2E59B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP BAD2E49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP BAD2E4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP BAD2E64B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP BAD2E609 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP BAD2E5B1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 1 Byte [E9]
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP BAD2E675 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP BAD2E689 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00076
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00065
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00F97
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00FA8
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F50
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00098
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F24
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F35
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F13
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00054
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B0000A
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00087
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B0002F
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B000B3
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0065
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0FA8
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0000
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF004A
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0039
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A50027
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A50FA6
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A50FD2
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A50FE3
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A50FB7
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[208] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00A3000A
.text C:\WINDOWS\System32\svchost.exe[208] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00A3001B
.text C:\WINDOWS\System32\svchost.exe[208] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\System32\svchost.exe[208] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00A30040
.text C:\WINDOWS\System32\svchost.exe[208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A40000
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10080
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10F81
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E1005B
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10040
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10FB9
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10F42
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10F53
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E100B9
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E10F20
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E100DE
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E10F9E
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E1000A
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E10F70
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E10025
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E10F31
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E0001B
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E0006C
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E0000A
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E00FE5
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E00051
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E00040
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DF0FB2
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DF0FC3
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DF0029
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DF000C
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DF0FD4
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F6F
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007005A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F80
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F91
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F3C
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F4D
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700B0
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070095
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EFC
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0007003D
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F5E
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F21
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F93
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FA4
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F7A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F8B
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F4E
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F5F
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00D6
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00BB
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F18
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF008A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F33
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60086
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60075
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60058
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F9B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A6003D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60F80
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A600C8
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60105
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600F4
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A60116
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FB6
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A60011
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A600AB
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FD1
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60022
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A600E3
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50FAF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50062
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A50051
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40070
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A4003A
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A4004B
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A40029
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910091
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00910076
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910FA8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910065
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F77
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009100BF
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009100FF
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100EE
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910F55
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FB9
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009100A2
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910FDB
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0091002C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00910F66
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0090007D
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0090006C
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0062
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F0047
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0FE3
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0036
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 033A000A
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 033A00A4
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 033A0093
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 033A0078
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 033A0FB9
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 033A0FD4
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 033A00ED
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 033A00DC
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 033A0F72
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 033A0F83
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 033A0F57
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 033A005B
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 033A0FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 033A00BF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 033A0040
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 033A002F
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 033A0F94
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03390036
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03390F8A
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03390025
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0339000A
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03390047
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03390FEF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03390FAF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [59, 8B]
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03390FCA
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03380FBE
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 03380049
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03380FD9
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03380000
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03380038
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03380011
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 3 Bytes JMP 03370000
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket + 4 71AB4215 1 Byte [91]
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 03360FE5
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03360FCA
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 03360000
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0336001B
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00690F5C
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00690051
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00690F83
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00690F9E
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00690FAF
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00690F35
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0069007D
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00690EFF
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00690F10
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00690EE4
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00690036
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00690FE5
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0069006C
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00690FCA
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00690025
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00690098
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680011
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00680F91
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680000
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680FD4
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00680044
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680FE5
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00680033
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680022
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670FAB
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00670036
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FC6
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670000
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0067001B
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670FE3
.text C:\WINDOWS\System32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0000
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0065
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F70
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0F81
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0F9E
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FB9
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0096
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F44
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F22
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F33
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD00CC
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0040
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD0F55
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD001B
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00A7
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0080
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC001B
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0065
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FC3
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0040
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60038
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FAD
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60027
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6000C
.text C:\WINDOWS\System32\svchost.exe[1476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E20000
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E2008E
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E20F99
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E2007D
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E20062
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E20FC0
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E200D0
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E200B3
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E20106
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E20F6D
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E20F48
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E20051
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E20FDB
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E20F88
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E2002C
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E20011
.text C:\WINDOWS\Explorer.EXE[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E200E1
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 017F0040
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 017F0FCA
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 017F0FE5
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 017F0011
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 017F007D
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 017F0000
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 017F006C
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 017F005B
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 017E0FA3
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 017E002E
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 017E0FD2
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 017E0000
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 017E001D
.text C:\WINDOWS\Explorer.EXE[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 017E0FE3
.text C:\WINDOWS\Explorer.EXE[1760] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 017C000A
.text C:\WINDOWS\Explorer.EXE[1760] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 017C0FEF
.text C:\WINDOWS\Explorer.EXE[1760] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 017C0025
.text C:\WINDOWS\Explorer.EXE[1760] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 017C0FD4
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017D0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmpkbftivm.sys (*** hidden *** ) [SYSTEM] kbiwkmxjcxiwwk <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk@imagepath \systemroot\system32\drivers\kbiwkmpkbftivm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\delete@C:\DOCUME~1\user1\LOCALS~1\Temp\kbiwkmfthtibfniv.tmp
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\delete@C:\DOCUME~1\user1\LOCALS~1\Temp\kbiwkmswtnemuecb.tmp
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmpkbftivm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqjpwmrqh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxlyarssd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmboscqxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmxjcxiwwk\modules@kbiwkm.dat \systemroot\system32\kbiwkmdqvdktql.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk@imagepath \systemroot\system32\drivers\kbiwkmpkbftivm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\delete@C:\DOCUME~1\user1\LOCALS~1\Temp\kbiwkmfthtibfniv.tmp
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\delete@C:\DOCUME~1\user1\LOCALS~1\Temp\kbiwkmswtnemuecb.tmp
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmpkbftivm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqjpwmrqh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxlyarssd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmboscqxwp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmxjcxiwwk\modules@kbiwkm.dat \systemroot\system32\kbiwkmdqvdktql.dat

---- EOF - GMER 1.0.15 ----

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:35 PM

Posted 03 September 2009 - 09:25 PM

You have a rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Sorry I couldn't do more for you here; they'll be better equipped to help in HJT.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 friskysman

friskysman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 September 2009 - 10:14 PM

No need to apologize, Blade. I just appreciate your help. I've followed your instructions and posted a new thread here: http://www.bleepingcomputer.com/forums/t/255013/rootkittdss-infection/

Thanks again.

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:35 PM

Posted 03 September 2009 - 11:06 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/255013/rootkittdss-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users