Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 HelenBach

HelenBach

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:United Kingdom
  • Local time:06:27 PM

Posted 10 January 2010 - 08:56 AM

This thing creates a new user 'HelpAssistant' which appears to duplicate data from the current user.

Here's what I've done prior to making this post:
  • Removed any found malware using up to date GDATA AntiVirus (linux based live CD)
  • Replaced %windir%\system32\drivers\atapi.sys with version from ServicePackFiles\i386
  • fixmbr
  • Boot into system and run tools to produce these logs
On this boot, obviously the MBR is re-infected ready to start working on its next reboot.

What do I need to do next to kill this thing for good?

Additionally, this is not my laptop, so I'm not in a position to start installing or uninstalling things unless absolutely necessary.

Thank you in advance for any help received.

Here's my DDS.txt file content:
CODE
DDS (Ver_09-12-01.01) - NTFSx86  
Run by New User at 10:41:18.51 on 10/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.958.469 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\New User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.co.uk/
uWindow Title = microsoft internet explorer
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://uk.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus C62 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [NokiaMusic FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\newuse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-system: DisableTaskMgr =
uPolicies-system: NoDispBackgroundPage =
uPolicies-system: NoDispSettingsPage =
uPolicies-system: NoDispAppearancePage =
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11D2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-21 54752]
S2 gupdate1c98271297d9582;Google Update Service (gupdate1c98271297d9582);c:\program files\google\update\GoogleUpdate.exe [2009-1-30 133104]
S2 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-01-10 09:22:49    96512    ----a-w-    c:\windows\system32\drivers\atapi.sys
2009-12-13 18:02:19    0    d-----w-    c:\program files\Norton Security Scan

==================== Find3M  ====================

2009-11-22 19:56:07    230432    ----a-w-    C:\PA7302.DAT
2009-10-29 07:46:59    832512    ----a-w-    c:\windows\system32\wininet.dll
2009-10-29 07:46:52    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-10-29 07:46:50    17408    ----a-w-    c:\windows\system32\corpol.dll
2009-10-22 18:46:18    42432    ----a-w-    c:\docume~1\newuse~1\applic~1\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36    75776    ----a-w-    c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36    25088    ----a-w-    c:\windows\system32\httpapi.dll
2009-10-13 10:30:16    270336    ----a-w-    c:\windows\system32\oakley.dll
2009-10-12 13:38:19    149504    ----a-w-    c:\windows\system32\rastls.dll
2009-10-12 13:38:18    79872    ----a-w-    c:\windows\system32\raschap.dll
2006-10-02 13:31:15    278528    ----a-w-    c:\program files\common files\FDEUnInstaller.exe
2008-09-10 10:46:05    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 10:42:25.85 ===============

Also attached below are the other files as requested in the Preparation Guide.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:27 PM

Posted 16 January 2010 - 12:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 HelenBach

HelenBach
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:United Kingdom
  • Local time:06:27 PM

Posted 16 January 2010 - 03:27 PM

Thank you for making the time to take a look, however armed with information I'd read from the topics here I've since been able to resolve the problem.

I ran a full GMER scan, (as test.exe)
CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-11 17:40:58
Windows 5.1.2600 Service Pack 3
Running: test.exe; Driver: C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\ufroqfod.sys


---- User code sections - GMER 1.0.15 ----

.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] ADVAPI32.dll!CryptDestroyKey                                       77DE9EBC 7 Bytes  JMP 0368299A
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] ADVAPI32.dll!CryptDecrypt                                          77DEA129 7 Bytes  JMP 0368294A
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] ADVAPI32.dll!CryptEncrypt                                          77DEE360 7 Bytes  JMP 0368290E
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] WS2_32.dll!closesocket                                             71AB3E2B 5 Bytes  JMP 036828F2
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] WS2_32.dll!send                                                    71AB4C27 5 Bytes  JMP 0368277E
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] WS2_32.dll!WSARecv                                                 71AB4CB5 5 Bytes  JMP 03682870
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] WS2_32.dll!recv                                                    71AB676F 5 Bytes  JMP 036827B6
.text           C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[148] WS2_32.dll!WSASend                                                 71AB68FA 5 Bytes  JMP 036827EE
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] WS2_32.dll!closesocket                                    71AB3E2B 5 Bytes  JMP 007E28F2
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] WS2_32.dll!send                                           71AB4C27 5 Bytes  JMP 007E277E
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] WS2_32.dll!WSARecv                                        71AB4CB5 5 Bytes  JMP 007E2870
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] WS2_32.dll!recv                                           71AB676F 5 Bytes  JMP 007E27B6
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] WS2_32.dll!WSASend                                        71AB68FA 5 Bytes  JMP 007E27EE
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] ADVAPI32.dll!CryptDestroyKey                              77DE9EBC 7 Bytes  JMP 007E299A
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] ADVAPI32.dll!CryptDecrypt                                 77DEA129 7 Bytes  JMP 007E294A
.text           C:\Program Files\Bonjour\mDNSResponder.exe[192] ADVAPI32.dll!CryptEncrypt                                 77DEE360 7 Bytes  JMP 007E290E
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] ADVAPI32.dll!CryptDestroyKey  77DE9EBC 7 Bytes  JMP 0142299A
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] ADVAPI32.dll!CryptDecrypt     77DEA129 7 Bytes  JMP 0142294A
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] ADVAPI32.dll!CryptEncrypt     77DEE360 7 Bytes  JMP 0142290E
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] WS2_32.dll!closesocket        71AB3E2B 5 Bytes  JMP 014228F2
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] WS2_32.dll!send               71AB4C27 5 Bytes  JMP 0142277E
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] WS2_32.dll!WSARecv            71AB4CB5 5 Bytes  JMP 01422870
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] WS2_32.dll!recv               71AB676F 5 Bytes  JMP 014227B6
.text           C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[396] WS2_32.dll!WSASend            71AB68FA 5 Bytes  JMP 014227EE
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] ADVAPI32.dll!CryptDestroyKey          77DE9EBC 7 Bytes  JMP 014B299A
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] ADVAPI32.dll!CryptDecrypt             77DEA129 7 Bytes  JMP 014B294A
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] ADVAPI32.dll!CryptEncrypt             77DEE360 7 Bytes  JMP 014B290E
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] WS2_32.dll!closesocket                71AB3E2B 5 Bytes  JMP 014B28F2
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] WS2_32.dll!send                       71AB4C27 5 Bytes  JMP 014B277E
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] WS2_32.dll!WSARecv                    71AB4CB5 5 Bytes  JMP 014B2870
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] WS2_32.dll!recv                       71AB676F 5 Bytes  JMP 014B27B6
.text           C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[788] WS2_32.dll!WSASend                    71AB68FA 5 Bytes  JMP 014B27EE
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] ADVAPI32.dll!CryptDestroyKey              77DE9EBC 7 Bytes  JMP 00E9299A
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] ADVAPI32.dll!CryptDecrypt                 77DEA129 7 Bytes  JMP 00E9294A
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] ADVAPI32.dll!CryptEncrypt                 77DEE360 7 Bytes  JMP 00E9290E
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] WS2_32.dll!closesocket                    71AB3E2B 5 Bytes  JMP 00E928F2
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] WS2_32.dll!send                           71AB4C27 5 Bytes  JMP 00E9277E
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] WS2_32.dll!WSARecv                        71AB4CB5 5 Bytes  JMP 00E92870
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] WS2_32.dll!recv                           71AB676F 5 Bytes  JMP 00E927B6
.text           C:\Program Files\Common Files\Real\Update_OB\realsched.exe[832] WS2_32.dll!WSASend                        71AB68FA 5 Bytes  JMP 00E927EE
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] ADVAPI32.dll!CryptDestroyKey                    77DE9EBC 7 Bytes  JMP 01D7299A
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] ADVAPI32.dll!CryptDecrypt                       77DEA129 7 Bytes  JMP 01D7294A
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] ADVAPI32.dll!CryptEncrypt                       77DEE360 7 Bytes  JMP 01D7290E
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] WS2_32.dll!closesocket                          71AB3E2B 5 Bytes  JMP 01D728F2
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] WS2_32.dll!send                                 71AB4C27 5 Bytes  JMP 01D7277E
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] WS2_32.dll!WSARecv                              71AB4CB5 5 Bytes  JMP 01D72870
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] WS2_32.dll!recv                                 71AB676F 5 Bytes  JMP 01D727B6
.text           C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[976] WS2_32.dll!WSASend                              71AB68FA 5 Bytes  JMP 01D727EE
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] ADVAPI32.dll!CryptDestroyKey                    77DE9EBC 7 Bytes  JMP 006C299A
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] ADVAPI32.dll!CryptDecrypt                       77DEA129 7 Bytes  JMP 006C294A
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] ADVAPI32.dll!CryptEncrypt                       77DEE360 7 Bytes  JMP 006C290E
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] WS2_32.dll!closesocket                          71AB3E2B 5 Bytes  JMP 006C28F2
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] WS2_32.dll!send                                 71AB4C27 5 Bytes  JMP 006C277E
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] WS2_32.dll!WSARecv                              71AB4CB5 5 Bytes  JMP 006C2870
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] WS2_32.dll!recv                                 71AB676F 5 Bytes  JMP 006C27B6
.text           C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[1168] WS2_32.dll!WSASend                              71AB68FA 5 Bytes  JMP 006C27EE
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] ADVAPI32.dll!CryptDestroyKey                                   77DE9EBC 7 Bytes  JMP 00E0299A
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] ADVAPI32.dll!CryptDecrypt                                      77DEA129 7 Bytes  JMP 00E0294A
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] ADVAPI32.dll!CryptEncrypt                                      77DEE360 7 Bytes  JMP 00E0290E
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] WS2_32.dll!closesocket                                         71AB3E2B 5 Bytes  JMP 00E028F2
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] WS2_32.dll!send                                                71AB4C27 5 Bytes  JMP 00E0277E
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] WS2_32.dll!WSARecv                                             71AB4CB5 5 Bytes  JMP 00E02870
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] WS2_32.dll!recv                                                71AB676F 5 Bytes  JMP 00E027B6
.text           C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1272] WS2_32.dll!WSASend                                             71AB68FA 5 Bytes  JMP 00E027EE
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] ADVAPI32.dll!CryptDestroyKey                                       77DE9EBC 7 Bytes  JMP 010A299A
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] ADVAPI32.dll!CryptDecrypt                                          77DEA129 7 Bytes  JMP 010A294A
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] ADVAPI32.dll!CryptEncrypt                                          77DEE360 7 Bytes  JMP 010A290E
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] WS2_32.dll!closesocket                                             71AB3E2B 5 Bytes  JMP 010A28F2
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] WS2_32.dll!send                                                    71AB4C27 5 Bytes  JMP 010A277E
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] WS2_32.dll!WSARecv                                                 71AB4CB5 5 Bytes  JMP 010A2870
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] WS2_32.dll!recv                                                    71AB676F 5 Bytes  JMP 010A27B6
.text           C:\WINDOWS\system32\Ati2evxx.exe[1280] WS2_32.dll!WSASend                                                 71AB68FA 5 Bytes  JMP 010A27EE
.text           C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!CryptDestroyKey                                                77DE9EBC 7 Bytes  JMP 01A2299A
.text           C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!CryptDecrypt                                                   77DEA129 7 Bytes  JMP 01A2294A
.text           C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!CryptEncrypt                                                   77DEE360 7 Bytes  JMP 01A2290E
.text           C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!closesocket                                                      71AB3E2B 5 Bytes  JMP 01A228F2
.text           C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!send                                                             71AB4C27 5 Bytes  JMP 01A2277E
.text           C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!WSARecv                                                          71AB4CB5 5 Bytes  JMP 01A22870
.text           C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!recv                                                             71AB676F 5 Bytes  JMP 01A227B6
.text           C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!WSASend                                                          71AB68FA 5 Bytes  JMP 01A227EE
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] ADVAPI32.dll!CryptDestroyKey       77DE9EBC 7 Bytes  JMP 00F8299A
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] ADVAPI32.dll!CryptDecrypt          77DEA129 7 Bytes  JMP 00F8294A
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] ADVAPI32.dll!CryptEncrypt          77DEE360 7 Bytes  JMP 00F8290E
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] WS2_32.dll!closesocket             71AB3E2B 5 Bytes  JMP 00F828F2
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] WS2_32.dll!send                    71AB4C27 5 Bytes  JMP 00F8277E
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] WS2_32.dll!WSARecv                 71AB4CB5 5 Bytes  JMP 00F82870
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] WS2_32.dll!recv                    71AB676F 5 Bytes  JMP 00F827B6
.text           C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe[2012] WS2_32.dll!WSASend                 71AB68FA 5 Bytes  JMP 00F827EE
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] WS2_32.dll!closesocket                                              71AB3E2B 5 Bytes  JMP 011628F2
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] WS2_32.dll!send                                                     71AB4C27 5 Bytes  JMP 0116277E
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] WS2_32.dll!WSARecv                                                  71AB4CB5 5 Bytes  JMP 01162870
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] WS2_32.dll!recv                                                     71AB676F 5 Bytes  JMP 011627B6
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] WS2_32.dll!WSASend                                                  71AB68FA 5 Bytes  JMP 011627EE
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] ADVAPI32.dll!CryptDestroyKey                                        77DE9EBC 7 Bytes  JMP 0116299A
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] ADVAPI32.dll!CryptDecrypt                                           77DEA129 7 Bytes  JMP 0116294A
.text           C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2324] ADVAPI32.dll!CryptEncrypt                                           77DEE360 7 Bytes  JMP 0116290E
.text           C:\WINDOWS\System32\alg.exe[2616] ADVAPI32.dll!CryptDestroyKey                                            77DE9EBC 7 Bytes  JMP 00A7299A
.text           C:\WINDOWS\System32\alg.exe[2616] ADVAPI32.dll!CryptDecrypt                                               77DEA129 7 Bytes  JMP 00A7294A
.text           C:\WINDOWS\System32\alg.exe[2616] ADVAPI32.dll!CryptEncrypt                                               77DEE360 7 Bytes  JMP 00A7290E
.text           C:\WINDOWS\System32\alg.exe[2616] WS2_32.dll!closesocket                                                  71AB3E2B 5 Bytes  JMP 00A728F2
.text           C:\WINDOWS\System32\alg.exe[2616] WS2_32.dll!send                                                         71AB4C27 5 Bytes  JMP 00A7277E
.text           C:\WINDOWS\System32\alg.exe[2616] WS2_32.dll!WSARecv                                                      71AB4CB5 5 Bytes  JMP 00A72870
.text           C:\WINDOWS\System32\alg.exe[2616] WS2_32.dll!recv                                                         71AB676F 5 Bytes  JMP 00A727B6
.text           C:\WINDOWS\System32\alg.exe[2616] WS2_32.dll!WSASend                                                      71AB68FA 5 Bytes  JMP 00A727EE
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] ADVAPI32.dll!CryptDestroyKey                               77DE9EBC 7 Bytes  JMP 00F2299A
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] ADVAPI32.dll!CryptDecrypt                                  77DEA129 7 Bytes  JMP 00F2294A
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] ADVAPI32.dll!CryptEncrypt                                  77DEE360 7 Bytes  JMP 00F2290E
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] WS2_32.dll!closesocket                                     71AB3E2B 5 Bytes  JMP 00F228F2
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] WS2_32.dll!send                                            71AB4C27 5 Bytes  JMP 00F2277E
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] WS2_32.dll!WSARecv                                         71AB4CB5 5 Bytes  JMP 00F22870
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] WS2_32.dll!recv                                            71AB676F 5 Bytes  JMP 00F227B6
.text           C:\Program Files\iTunes\iTunesHelper.exe[2976] WS2_32.dll!WSASend                                         71AB68FA 5 Bytes  JMP 00F227EE
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] ADVAPI32.dll!CryptDestroyKey                              77DE9EBC 7 Bytes  JMP 00B2299A
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] ADVAPI32.dll!CryptDecrypt                                 77DEA129 7 Bytes  JMP 00B2294A
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] ADVAPI32.dll!CryptEncrypt                                 77DEE360 7 Bytes  JMP 00B2290E
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] WS2_32.dll!closesocket                                    71AB3E2B 5 Bytes  JMP 00B228F2
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] WS2_32.dll!send                                           71AB4C27 5 Bytes  JMP 00B2277E
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] WS2_32.dll!WSARecv                                        71AB4CB5 5 Bytes  JMP 00B22870
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] WS2_32.dll!recv                                           71AB676F 5 Bytes  JMP 00B227B6
.text           C:\Program Files\iPod\bin\iPodService.exe[3464] WS2_32.dll!WSASend                                        71AB68FA 5 Bytes  JMP 00B227EE
.text           C:\Program Files\Messenger\msmsgs.exe[3724] ADVAPI32.dll!CryptDestroyKey                                  77DE9EBC 7 Bytes  JMP 00B1299A
.text           C:\Program Files\Messenger\msmsgs.exe[3724] ADVAPI32.dll!CryptDecrypt                                     77DEA129 7 Bytes  JMP 00B1294A
.text           C:\Program Files\Messenger\msmsgs.exe[3724] ADVAPI32.dll!CryptEncrypt                                     77DEE360 7 Bytes  JMP 00B1290E
.text           C:\Program Files\Messenger\msmsgs.exe[3724] WS2_32.dll!closesocket                                        71AB3E2B 5 Bytes  JMP 00B128F2
.text           C:\Program Files\Messenger\msmsgs.exe[3724] WS2_32.dll!send                                               71AB4C27 5 Bytes  JMP 00B1277E
.text           C:\Program Files\Messenger\msmsgs.exe[3724] WS2_32.dll!WSARecv                                            71AB4CB5 5 Bytes  JMP 00B12870
.text           C:\Program Files\Messenger\msmsgs.exe[3724] WS2_32.dll!recv                                               71AB676F 5 Bytes  JMP 00B127B6
.text           C:\Program Files\Messenger\msmsgs.exe[3724] WS2_32.dll!WSASend                                            71AB68FA 5 Bytes  JMP 00B127EE
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] ADVAPI32.dll!CryptDestroyKey       77DE9EBC 7 Bytes  JMP 0106299A
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] ADVAPI32.dll!CryptDecrypt          77DEA129 7 Bytes  JMP 0106294A
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] ADVAPI32.dll!CryptEncrypt          77DEE360 7 Bytes  JMP 0106290E
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] WS2_32.dll!closesocket             71AB3E2B 5 Bytes  JMP 010628F2
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] WS2_32.dll!send                    71AB4C27 5 Bytes  JMP 0106277E
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] WS2_32.dll!WSARecv                 71AB4CB5 5 Bytes  JMP 01062870
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] WS2_32.dll!recv                    71AB676F 5 Bytes  JMP 010627B6
.text           C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3904] WS2_32.dll!WSASend                 71AB68FA 5 Bytes  JMP 010627EE
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] ADVAPI32.dll!CryptDestroyKey                          77DE9EBC 7 Bytes  JMP 00FC299A
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] ADVAPI32.dll!CryptDecrypt                             77DEA129 7 Bytes  JMP 00FC294A
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] ADVAPI32.dll!CryptEncrypt                             77DEE360 7 Bytes  JMP 00FC290E
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] WS2_32.dll!closesocket                                71AB3E2B 5 Bytes  JMP 00FC28F2
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] WS2_32.dll!send                                       71AB4C27 5 Bytes  JMP 00FC277E
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] WS2_32.dll!WSARecv                                    71AB4CB5 5 Bytes  JMP 00FC2870
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] WS2_32.dll!recv                                       71AB676F 5 Bytes  JMP 00FC27B6
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3964] WS2_32.dll!WSASend                                    71AB68FA 5 Bytes  JMP 00FC27EE
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] ADVAPI32.dll!CryptDestroyKey                          77DE9EBC 7 Bytes  JMP 0103299A
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] ADVAPI32.dll!CryptDecrypt                             77DEA129 7 Bytes  JMP 0103294A
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] ADVAPI32.dll!CryptEncrypt                             77DEE360 7 Bytes  JMP 0103290E
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] WS2_32.dll!closesocket                                71AB3E2B 5 Bytes  JMP 010328F2
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] WS2_32.dll!send                                       71AB4C27 5 Bytes  JMP 0103277E
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] WS2_32.dll!WSARecv                                    71AB4CB5 5 Bytes  JMP 01032870
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] WS2_32.dll!recv                                       71AB676F 5 Bytes  JMP 010327B6
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] WS2_32.dll!WSASend                                    71AB68FA 5 Bytes  JMP 010327EE

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                                   SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                                   SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device                                                                                                                    ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                 fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                               861D2448
Device          \Driver\atapi \Device\Ide\IdePort0                                                                        861D2448
Device          \Driver\atapi \Device\Ide\IdePort1                                                                        861D2448
Device          \Driver\atapi \Device\Ide\IdePort2                                                                        861D2448
Device          \Driver\atapi \Device\Ide\IdePort3                                                                        861D2448
Device                                                                                                                    atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)
Device                                                                                                                    861D2448

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                 fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                               avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                               fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device          \FileSystem\Cdfs \Cdfs                                                                                    DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                     sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
Then ran its sister tool mbr.exe and allowed it to restore the MBR
CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x860cc738
NDIS: Atheros AR5005G Wireless Network Adapter -> SendCompleteHandler -> 0x85a4c4c0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A847ED
malicious code @ sector 0x04A847F0 !
PE file found in sector at 0x04A84806 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

original MBR restored successfully !
Then I rebooted the system and performed a full Dr.Web CureIt scan.
This was all it found:
CODE
C:\Program Files\Orange\setup\Orange_icons.EXE - archive BINARYRES
>C:\Program Files\Orange\setup\Orange_icons.EXE/data001 packed by ZLIB
>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001 - archive BINARYRES
>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data001 - OK
>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002 - archive CAB
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/uninstall.exe is an adware Adware.Xbarre
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/orange3.dll - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/toolbar.ini - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/orange3tb0401.cfg - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/popup.cur - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/wdoo_highlighter.bmp - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/popup_blocker_site.bmp - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/popup_blocker_on.bmp - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/popup_blocker_off.bmp - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/search.bmp - OK
>>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002/orange_logo_antialiasing.bmp - OK
>>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001/data002 - archive contains infected objects
>>C:\Program Files\Orange\setup\Orange_icons.EXE/data001 - archive contains infected objects
C:\Program Files\Orange\setup\Orange_icons.EXE - archive contains infected objects - moved

C:\Program Files\orange3\uninstall.exe is an adware Adware.Xbarre

C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE - archive BINARYRES
>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001 packed by ZLIB
>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001 - archive BINARYRES
>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data001 - OK
>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002 - archive CAB
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/uninstall.exe is an adware Adware.Xbarre
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/orange3.dll - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/toolbar.ini - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/orange3tb0401.cfg - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/popup.cur - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/wdoo_highlighter.bmp - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/popup_blocker_site.bmp - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/popup_blocker_on.bmp - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/popup_blocker_off.bmp - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/search.bmp - OK
>>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002/orange_logo_antialiasing.bmp - OK
>>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001/data002 - archive contains infected objects
>>C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE/data001 - archive contains infected objects
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP701\A0112014.EXE - archive contains infected objects - moved

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 301678
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 3
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 2
Ignored: 0
Scan speed: 83 Kb/s
Scan time: 12:39:50
-----------------------------------------------------------------------------

C:\Program Files\orange3\uninstall.exe - deleted

=============================================================================
Total session statistics
=============================================================================
Scanned: 310306
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 3
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 1
Renamed: 0
Moved: 2
Ignored: 0
Scan speed: 73 Kb/s
Scan time: 13:03:10
=============================================================================
I just finished off with some general housekeeping.


It appears that using the fixmbr methods I was already using was only replacing the first sector or the MBR. This sector was subsequently being replaced again by an infected copy elsewhere within the MBR during boot up. mbr.exe appears to have fixed all infected sectors as opposed to just the first one!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:27 PM

Posted 16 January 2010 - 05:07 PM

Hi,

please don't use quote- or code-tags when posting logs. It makes them much harder to read. Just paste the logs in. smile.gif

Happy to hear that you have been able to resolve your problems on your own. smile.gif Do you want to do a check of the system or should I close the topic?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 HelenBach

HelenBach
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:United Kingdom
  • Local time:06:27 PM

Posted 16 January 2010 - 05:25 PM

The PC was checked prior to my post here, the only issue was the MBR rootkit which has now been rectified. I am happy for you to close the topic.

I'd be interested to know however what you'd consider a suitable time to use either quote or code boxes, if not to define a boundary between the actual message and the output from the programs. I chose 'code' for this forum simply because its header was easier to distinguish within the Forum background/colour scheme.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:27 PM

Posted 16 January 2010 - 05:46 PM

Hi,

this is not a strict rule or a restriction. I personally find it easier to read the black on light blue, than dark blue on white. Since I would also be the one going over the logs, I asked for you not to do so. You can, of course, still post the logs in code-tags if you wish.

Personally I use code-tags as a destinction between my instructions and "code" that needs to be copied into a certain program. In that case code-tags are necessary cause it may be essential to keep track of the number of spaces or formatting for example.
CODE
example      .exe

is not the same as example .exe. However the board-software would automatically replace multiple spaces by only one space.

And I use quote-tags to cite someone's question, so the question can easily be referenced.

But as said above: no tags is simply my preferred way of seeing the logs and it may well be that with other helpers or other boards have different views on that.


I'll keep the topic open for another day, in case you want to reply once more, if not I'll close it tomorrow.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:27 PM

Posted 23 January 2010 - 08:27 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users