Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 Ferdi83

Ferdi83

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 07 September 2009 - 03:26 PM

Hi gentlemen,

My mom complained that google was always redirecting all searches to a bogus site, travelsense-search. I ran hijackthis and then malwarebytes anti malware on safe mode. They took rid of almost everything, but the google thing remains. Theres a rootkit around and I dont know what to do.

I searched around the forum and found GMER, the log is below the HJT log. Id appreciate any help with a little explanation so I can learn also. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:34, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\DellTPad\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Arquivos de programas\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\DellTPad\HidFind.exe
C:\Arquivos de programas\DellTPad\Apntex.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Dell\QuickSet\NICCONFIGSVC.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Arquivos de programas\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Claro 3G\UIMain.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Downloads\Nova pasta (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.br/ig/dell?hl=pt-BR&client=dell-row-rel&channel=br&ibd=0071218
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.br/ig/dell?hl=pt-BR&client=dell-row-rel&channel=br&ibd=0071218
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Apoint] C:\Arquivos de programas\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Arquivos de programas\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Arquivos de programas\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [fssui] "C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61A08391-55F6-44F3-A4DD-178B16F6043A}: NameServer = 200.169.116.22 200.169.117.22
O17 - HKLM\System\CS5\Services\Tcpip\..\{61A08391-55F6-44F3-A4DD-178B16F6043A}: NameServer = 200.169.116.22 200.169.117.22
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: bersk.dll
O20 - Winlogon Notify: zdndcgr - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Arquivos de programas\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Live OneCare Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Proteção para a Família\fsssvc.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Arquivos de programas\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Arquivos de programas\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Arquivos de programas\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Arquivos de programas\Arquivos comuns\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Arquivos de programas\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Atualizações Automáticas (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9584 bytes



GMER 1.0.15.15077 [1bbbklz2.exe] - http://www.gmer.net
Rootkit scan 2009-09-08 17:05:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT BA6CDBAC ZwCreateThread
SSDT BA6CDB98 ZwOpenProcess
SSDT BA6CDB9D ZwOpenThread
SSDT BA6CDBA7 ZwTerminateProcess
SSDT BA6CDBA2 ZwWriteVirtualMemory

Code 8AAA0500 pIofCallDriver

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[132] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 03B36DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 03B372BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 03B35BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 03B3737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 03B3724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 03B35AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03B373E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 03B36C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 03B3595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 03B361DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 03B365B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 03B36AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 03B3633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 03B36261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 03B362BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03B36035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 03B366AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 03B36A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 03B359B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 03B364E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 03B36EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 03B36F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 03B36725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 03B37202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 03B35C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 03B35BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 03B3718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 03B36BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 03B3644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 03B369D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 03B36135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 03B37001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 03B36D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 03B35E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 03B36E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 03B35F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 03B35A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 03B37108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 03B37236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[132] USER32.dll!ExitWindowsEx 7E3AA275 5 Bytes JMP 03B371E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00336DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003372BA C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00335BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0033737D C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0033724D C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00335AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003373E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00336C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 0033595F C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 003361DA C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 003365B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00336AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 0033633F C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00336261 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 003362BB C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00336035 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 003366AD C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00336A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 003359B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 003364E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00336EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00336F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00336725 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00337202 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00335C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00335BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0033718A C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00336BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 0033644C C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 003369D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00336135 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00337001 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00336D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00335E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00336E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00335F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00335A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00337108 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00337236 C:\WINDOWS\system32\wxvault.dll
.text C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[1124] USER32.dll!ExitWindowsEx 7E3AA275 5 Bytes JMP 003371E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ligia\Desktop\1bbbklz2.exe[3636] USER32.dll!ExitWindowsEx 7E3AA275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8A99F984] NDIS.sys[.reloc]
Device \Driver\Beep \Device\Beep 8A07CF00

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:1084] 8A07EF30
Thread System [4:1088] 8A07BE40

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset003\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset006\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset006\Services\MRxDAV\EncryptedDirectories@

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 22 September 2009 - 05:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Ferdi83

Ferdi83
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 23 September 2009 - 06:16 PM

Etavares, thanks in advance for your reply.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Ligia at 20:12:08,09 on qua 23/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.55.1046.18.2038.1488 [GMT -3:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Arquivos de programas\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Arquivos de programas\Wave Systems Corp\SecureUpgrade.exe
C:\Arquivos de programas\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe
C:\Arquivos de programas\DellTPad\ApMsgFwd.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\DellTPad\HidFind.exe
C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe
C:\Arquivos de programas\DellTPad\Apntex.exe
C:\Arquivos de programas\Dell\QuickSet\NICCONFIGSVC.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Arquivos de programas\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ligia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com.br/hws/sb/dell-row-rel/pt-BR/side.html?channel=br
uDefault_Page_URL = www.google.com.br/ig/dell?hl=pt-BR&client=dell-row-rel&channel=br&ibd=0071218
uSearch Bar = hxxp://www.google.com.br/hws/sb/dell-row-rel/pt-BR/side.html?channel=br
mSearchAssistant = hxxp://www.google.com.br/hws/sb/dell-row-rel/pt-BR/side.html?channel=br
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\arquivos de programas\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\arquivos de programas\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [AdobeUpdater] "c:\arquivos de programas\arquivos comuns\adobe\updater5\AdobeUpdater.exe"
mRun: [Apoint] c:\arquivos de programas\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Dell QuickSet] c:\arquivos de programas\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\arquivos de programas\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\arquivos de programas\wave systems corp\SecureUpgrade.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [fssui] "c:\arquivos de programas\windows live\family safety\fsui.exe" -autorun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\arquivos de programas\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\arquivos de programas\windows live\messenger\msnmsgr.exe" /background
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\arquivos de programas\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\biolsp.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: bersk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys [2009-6-23 11608]
R2 antivirscheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\arquivos de programas\avira\antivir personaledition classic\sched.exe [2009-6-23 68865]
R2 antivirservice;Avira AntiVir Personal - Free Antivirus Guard;c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe [2009-6-23 151297]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\arquivos de programas\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 NwSapAgent;Agente SAP;c:\windows\system32\svchost.exe -k netsvcs [2004-9-17 14336]
R2 SeaPort;SeaPort;c:\arquivos de programas\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-9-17 5120]
R3 avgntflt;avgntflt;c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys [2009-6-23 52056]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S0 lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 9ff4ed2c;9ff4ed2c;c:\windows\system32\drivers\9ff4ed2c.sys [2009-6-5 0]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 efeb16d6;efeb16d6;c:\windows\system32\drivers\efeb16d6.sys [2009-6-15 0]
S2 avg8wd;AVG Free8 WatchDog;c:\arquiv~1\avg\avg8\avgwdsvc.exe --> c:\arquiv~1\avg\avg8\avgwdsvc.exe [?]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys --> c:\windows\system32\drivers\fssfltr.sys [?]
S2 fsssvc;Windows Live OneCare Proteção para a Família;"c:\arquivos de programas\windows live\proteção para a família\fsssvc.exe" --> c:\arquivos de programas\windows live\proteção para a família\fsssvc.exe [?]
S2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-9-17 14336]
S2 xwoarh;xwoarh;c:\windows\system32\drivers\xwoarh.sys [2009-9-28 175616]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-7 38160]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]

=============== Created Last 30 ================

2009-09-07 18:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 18:45 19,096 a------- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2009-07-20 09:18 724,992 a------- c:\windows\iun6002.exe
2009-09-24 19:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009091420090921\index.dat
2009-09-28 00:12 98,304 a--sh--- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009092120090928\index.dat
2009-09-28 20:39 65,536 a--sh--- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009092820090929\index.dat
2009-09-30 23:48 65,536 a--sh--- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009093020091001\index.dat
2009-10-01 23:00 81,920 a--sh--- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009100120091002\index.dat

============= FINISH: 20:12:24,20 ===============

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:28 PM

Posted 28 September 2009 - 07:30 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • log.txt
  • info.txt
Thanks

unite.jpg


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:28 PM

Posted 02 October 2009 - 07:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users