Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkits


  • This topic is locked This topic is locked
34 replies to this topic

#1 Drunk Programmer

Drunk Programmer

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 22 January 2010 - 12:52 AM

Hi,

A few weeks ago, I got a bad rootkit infection from TVShack.net. It prevented me from using any of my security programs, including MalwareBytes Anti-Malware and McAfee. However, I was able to get into safe mode and manually delete a lot of the files and registry items that belonged to it. This rootkit pretended to be a fake security program called Security Central. I also used Revo Uninstaller to get rid of Security Central itself. Finally, in regular mode, I was able to use MalwareBytes and McAfee to get rid of the remainder of this malware. Everything went back to normal.

Then, this past Sunday, I did a routine scan with MalwareBytes. I started scanning right before I went to sleep. When I woke up, I saw that MalwareBytes had only found one item, but McAfee found a bunch of items, including trojans and rootkits. Some of the items were actually MalwareBytes, so I thought the two programs had conflicted. Prior to the scan, I had no problems. However, after the scan, I had some bad malware infection, where Task Manager was disabled, among other things. It turned out to be the Netsky 32 Worm or whatever it's called. I believe that McAfee may have let items out of MalwareBytes' quarantine, lol.

This malware changed my desktop background and redirected some of my searches in Google. It also brought up occasional pop-ups in my browser. I ended up deleting some of the known files that belonged to the malware and running System Restore (I restored to a few days earlier). Then I did some scans and looked for more hostile files and deleted them. I was able to get rid of everything except the occasional pop-ups and search redirects. It took me several days more to find the source of the problem: atapi.sys had been modified by the malware. I then proceeded to delete atapi.sys from this computer and then copied atapi.sys from a clean computer and put it on here. All the problems seem to have gone away, but I'm still uncertain of whether the malware is completely gone. Thus, I have come here.

Here is a log of my scan with GMER (which I did a few hours earlier today):



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-01-21 12:07:21
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwrcqfoc.sys


---- System - GMER 1.0.15 ----

SSDT 89E4B0F0 ZwAllocateVirtualMemory
SSDT 89E12240 ZwCreateKey
SSDT 89DF81C8 ZwCreateProcess
SSDT 89E4AC08 ZwCreateProcessEx
SSDT 89E11248 ZwCreateThread
SSDT 89E122C8 ZwDeleteKey
SSDT 89E34668 ZwDeleteValueKey
SSDT 89E0FAE8 ZwQueueApcThread
SSDT 89DF7850 ZwReadVirtualMemory
SSDT 89E4B2C8 ZwRenameKey
SSDT 89D5D270 ZwSetContextThread
SSDT 89E0FBB0 ZwSetInformationKey
SSDT 89E34900 ZwSetInformationProcess
SSDT 89DF7118 ZwSetInformationThread
SSDT 89E0FCB0 ZwSetValueKey
SSDT 89E361E8 ZwSuspendProcess
SSDT 89E318A0 ZwSuspendThread
SSDT 89E34020 ZwTerminateProcess
SSDT 89E54108 ZwTerminateThread
SSDT 89DF78C8 ZwWriteVirtualMemory

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA849C8B3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA849C907]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA849C827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA849C8C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA849C91D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA849C8F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2E5C 80503C30 4 Bytes CALL A4DA1D2F
.text ntkrnlpa.exe!ZwCallbackReturn + 2F80 80503D54 8 Bytes CALL 20DA20BA
.text ntkrnlpa.exe!ZwYieldExecution 80503FE8 7 Bytes JMP A849C8F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577ED2 5 Bytes JMP A849C8B7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0A7C 7 Bytes JMP A849C90B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B188A 5 Bytes JMP A849C921 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6E60 7 Bytes JMP A849C8CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806234C6 5 Bytes JMP A849C82B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BD0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BD00B8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BD009D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BD008C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BD006F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BD0054
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BD00F0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BD00DF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BD0112
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BD0101
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00BD0F68
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00BD0FCD
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00BD000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00BD0FA8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00BD002F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00BD0FDE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00BD0F8D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00BC0FB2
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00BC0039
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00BC0FC3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00BC0FDE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00BC0F86
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00BC0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00BC001E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00BC0F97
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FB2
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB003D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FD7
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB002C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0011
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[652] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E80078
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E80F83
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E80067
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E80FA8
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E8009F
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E80F57
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E80F3C
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E800D5
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E80F2B
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E80014
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E80F68
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E80040
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E800BA
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A1007D
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A10062
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A10051
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00033
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00022
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FD7
.text C:\WINDOWS\system32\services.exe[892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D90F80
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D9007F
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D9006E
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D90051
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D900B2
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D900A1
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D90F19
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D90F3E
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D90F08
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D90090
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D90F59
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D80F68
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D80F83
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D80F9E
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70042
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB7
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D7000C
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D7001D
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00830FE5
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00830051
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00830F5C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00830040
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00830F83
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0083001B
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00830089
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00830F37
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00830F26
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008300BF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008300D0
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00830F9E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00830FD4
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00830062
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00830FB9
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0083009A
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00820FD1
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00820058
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0082002C
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00820011
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00820047
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00820FA5
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00820FC0
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00810F9E
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00810029
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00810FDE
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00810FC3
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F0F66
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F005B
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F004A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0F97
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F0FB2
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F0F55
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F009D
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F00EE
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F00C9
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009F0F3A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009F0039
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009F0076
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009F001E
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009F00B8
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 009E006F
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 009E0025
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 009E0FA8
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 009E004A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D005D
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D0FC8
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D002E
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FD9
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0217000A
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02170F79
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02170078
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0217005D
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02170F94
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02170FAF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02170F4B
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02170093
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 021700D0
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 021700BF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02170F1C
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02170036
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02170FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02170F68
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02170FD4
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02170025
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 021700AE
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02160FD1
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0216006C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0216002C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0216001B
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02160FAF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02160000
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02160047
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02160FC0
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0215001D
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 02150F92
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02150FB7
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02150FEF
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0215000C
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02150FD2
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02100FEF
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 02140FE5
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 02140FD4
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 02140FB9
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 02140FA8
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00650F5C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00650F81
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00650098
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00650087
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006500C7
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00650F24
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00650F13
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00650076
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00650F35
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00640FAF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00640F68
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00640FCA
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0064002F
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00640F8D
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00640F9E
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630053
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630042
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FD2
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630027
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063000C
.text C:\WINDOWS\system32\svchost.exe[1596] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00620000
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0071007D
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00710F88
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00710FA3
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0071006C
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0071003D
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00710F50
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00710F61
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00710EFF
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00710F1A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00710EEE
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00710FC0
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0071001B
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0071008E
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00710FD1
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0071002C
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00710F2B
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00700FDB
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00700F8D
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0070002C
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00700011
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00700F9E
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00700FB9
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00700FCA
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F003A
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0029
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0018
.text C:\WINDOWS\system32\svchost.exe[1620] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008E0091
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008E006C
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008E0F92
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008E0051
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008E002F
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008E00D8
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008E00BD
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008E0F64
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008E0F75
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008E0F53
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008E0040
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008E00AC
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008E0FC3
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008E0FDE
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008E00F3
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00650F94
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640FB2
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!system 77C293C7 5 Bytes JMP 0064003D
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640018
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FCD
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00630FD1
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00630FB6
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00620000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DF0000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DF00BF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DF00A4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DF0087
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DF0076
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DF004A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DF0F83
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DF0F94
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF0101
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF00F0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00DF011C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00DF005B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00DF0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00DF0FA5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00DF0FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00DF002F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00DF0F72
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00DE0FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00DE0051
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00DE0FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00DE000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00DE0F9E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00DE0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00DE0040
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00DE002F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0F6E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0F89
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0FAB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0F9A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0FC6
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2040] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C9007A
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C90F8F
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C90069
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C90058
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C90047
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C900B7
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C900A6
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C900F4
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C900E3
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C90105
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C90FB6
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C90000
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C90095
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C90036
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C9001B
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C900D2
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F8B
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0F9C
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC8
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FAD
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C8002C
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C80069
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C8001B
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C80058
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C80047
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\Explorer.EXE[2072] SHELL32.dll!SHFileOperationW 7CA6FDEE 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00BD001B
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\Explorer.EXE[2072] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0073
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F6D
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F37
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0F48
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0F1C
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0F7E
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B00C6
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0029005A
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290049
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029002E
.text C:\WINDOWS\system32\wuauclt.exe[3224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F9B
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0058
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\wuauclt.exe[3224] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A002C
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3260] kernel32.dll!CreateThread + 1A 7C810661 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[4176] kernel32.dll!VirtualFree 7C809AF4 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 89D5C6A8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 89D5C5B0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 88FFBD98

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 88FFBD98

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 88FFBD98

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 88FFBD98

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST 88FFBD98
Device \FileSystem\Fastfat \Fat A7846C8A

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 22 January 2010 - 09:43 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 22 January 2010 - 01:13 PM

Actually, I did post a log. I posted a GMER log!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 22 January 2010 - 01:23 PM

A GMER log doesn't count smile.gif At least this one doesn't show a rootkit.

If replacing atapi.sys fixed the problem indeed, you had a nasty rootkit. You might want to consider changing personal information, like passwords or online banking information.

For now, please run MBAM, update it first and run a quick scan.

McAfee most likely detected quarantined items (its know for that). These are no longer a thread, so nothing to worry about.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 23 January 2010 - 08:16 PM

Both Quick Scan and Full Scan with MBAM came back negative. Nothing found.

However, previously, MBAM completely failed to detect the rootkit in atapi.sys. The only reason I became suspicious of atapi.sys was because I noticed it had been modified during the time of infection. I then searched it up in Google and found people had similar symptoms. But, like I said before, this was part of a much larger infection (apparently caused by quarantined items being let out) and I want to be sure nothing else has been infected.

Edited by Drunk Programmer, 23 January 2010 - 10:08 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 24 January 2010 - 09:18 AM

QUOTE
I then proceeded to delete atapi.sys from this computer and then copied atapi.sys from a clean computer and put it on here.
This is a stand-alone rootkit, and a very nasty one at that. By replacing the atapi.sys you got rid of the rootkit. The other malware often comes bundled with this rootkit to protect itself.

The rootkit is gone now, but I want you to consider the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 24 January 2010 - 04:08 PM

Well, I have had McAfee and MalwareBytes to begin with, well before the infection. I also had an outdated version of Spy Sweeper (it's now up to date).

What does this clean-up process entail?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 24 January 2010 - 04:12 PM

The cleanup means we are going to check everything that needs to be gone, is indeed gone, as well as some other programs that need to be installed and/or up to date.

To underline, the rootkit is gone, but malware always likes to invite friends, and without proper check-up its difficult to say if everything is gone.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 24 January 2010 - 08:28 PM

Ok. Let's do this.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 25 January 2010 - 05:33 AM

I will move our topic to the HJT forum, so we can use more advanced tools.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 27 January 2010 - 12:07 AM

Hey, sorry for the delay. Last two days, I've had basically no time.

I've attached the zipped file with attach.txt and here is DDS.txt:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 23:52:24.89 on Tue 01/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1193 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [ShowLOMControl] 1 (0x1)
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145463550984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\PR19.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7pi9x4nw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-4-19 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2010-1-18 1201640]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-8 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-8 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-8 171400]
S0 wjvw;wjvw;c:\windows\system32\drivers\mvdxo.sys --> c:\windows\system32\drivers\mvdxo.sys [?]

=============== Created Last 30 ================

2010-01-20 16:00:57 0 d-----w- c:\program files\CCleaner
2010-01-20 15:59:02 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-20 15:59:02 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-20 06:31:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-01-20 06:31:56 0 d-----w- c:\program files\Hitman Pro 3.5
2010-01-19 04:57:10 0 d-----w- c:\program files\MSSOAP
2010-01-19 04:56:31 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-19 04:55:56 164 ----a-w- c:\windows\install.dat
2010-01-18 21:41:02 5120 --sha-w- c:\windows\system32\Thumbs.db
2010-01-18 03:02:29 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-18 03:01:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 02:55:26 0 d-----w- c:\program files\Trend Micro
2010-01-06 04:17:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 01:16:24 0 d-----w- c:\windows\ServicePackFiles
2010-01-05 09:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 09:54:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-05 09:54:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 04:42:38 0 d-----w- c:\program files\VS Revo Group
2010-01-05 04:35:00 0 d-----w- c:\program files\Unlocker
2010-01-04 08:25:27 0 d-----w- C:\My Music
2010-01-04 08:21:28 0 d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2003-04-08 15:12:28 603 ----a-w- c:\program files\UIS.lnk

============= FINISH: 23:52:49.76 ===============

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 27 January 2010 - 02:42 AM

Few things show that do not belong there, lets get them out smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 27 January 2010 - 08:37 PM

Here it is:


ComboFix 10-01-27.03 - Administrator 01/27/2010 20:28:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1413 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET4A4.tmp
c:\program files\Internet Explorer\SET4A9.tmp
c:\program files\Internet Explorer\SET65F.tmp
c:\program files\Internet Explorer\SET660.tmp
c:\program files\Internet Explorer\SET662.tmp
c:\program files\Internet Explorer\SETB6.tmp
c:\program files\Internet Explorer\SETBB.tmp
c:\program files\Internet Explorer\SETD9.tmp
c:\program files\Internet Explorer\SETDE.tmp
c:\recycler\S-1-5-21-1212110941-3042049927-548862028-1010
c:\recycler\S-1-5-21-1212110941-3042049927-548862028-500
c:\recycler\S-1-5-21-324393018-3044101946-2876211970-1006
c:\recycler\S-1-5-21-324393018-3044101946-2876211970-500
c:\recycler\S-1-5-21-3431160446-2208809833-2363236810-500
c:\recycler\S-1-5-21-3976602036-348467884-1527051443-1016
c:\recycler\S-1-5-21-3976602036-348467884-1527051443-500
c:\recycler\S-1-5-21-4264696173-2412583336-844889163-500
c:\recycler\S-1-5-21-83346099-709747681-1615115034-500
c:\recycler\S-1-5-21-842925246-1409082233-725345543-1003
c:\recycler\S-1-5-21-842925246-1409082233-725345543-500
c:\recycler\S-1-5-21-869919605-1715635640-2147312762-500
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-27 08:54 . 1997-10-29 02:57 20480 ----a-w- c:\windows\system32\KBDRUPH.DLL
2010-01-27 08:49 . 2010-01-27 08:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MSKLC
2010-01-27 08:49 . 2010-01-27 08:49 -------- d-----w- c:\program files\Microsoft Keyboard Layout Creator 1.4
2010-01-20 16:00 . 2010-01-20 16:00 -------- d-----w- c:\program files\CCleaner
2010-01-20 15:59 . 2004-08-12 13:17 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-20 15:59 . 2004-08-12 13:17 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-20 06:31 . 2010-01-20 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-20 06:31 . 2010-01-20 06:49 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-20 01:24 . 2010-01-20 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-19 23:47 . 2010-01-19 23:47 144160 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-01-19 23:47 . 2010-01-20 06:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2010-01-19 04:57 . 2010-01-19 04:57 -------- d-----w- c:\program files\MSSOAP
2010-01-19 04:56 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-19 04:55 . 2010-01-19 04:56 164 ----a-w- c:\windows\install.dat
2010-01-18 03:02 . 2010-01-18 03:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-18 03:01 . 2010-01-18 07:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 02:55 . 2010-01-18 02:55 -------- d-----w- c:\program files\Trend Micro
2010-01-16 09:12 . 2010-01-16 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-06 04:17 . 2010-01-06 04:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 04:16 . 2010-01-06 04:16 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-06 04:15 . 2010-01-06 04:15 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-06 01:16 . 2010-01-06 01:16 -------- d-----w- c:\windows\ServicePackFiles
2010-01-05 09:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 09:54 . 2010-01-05 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 09:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 09:25 . 2010-01-05 09:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2010-01-05 04:42 . 2010-01-05 04:42 -------- d-----w- c:\program files\VS Revo Group
2010-01-05 04:35 . 2010-01-05 04:38 -------- d-----w- c:\program files\Unlocker
2010-01-04 08:25 . 2010-01-04 08:25 -------- d-----w- C:\My Music
2010-01-04 08:21 . 2010-01-04 08:21 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 08:49 . 2006-04-21 17:35 67088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-27 08:05 . 2009-05-26 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-01-27 05:07 . 2009-05-26 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-01-19 23:47 . 2009-12-10 21:23 4183416 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
2010-01-19 05:06 . 2006-07-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-06 04:16 . 2006-04-19 18:20 -------- d-----w- c:\program files\Java
2010-01-04 08:22 . 2006-04-19 18:31 -------- d-----w- c:\program files\Common Files\Real
2009-12-23 09:39 . 2009-12-23 09:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-17 21:01 . 2009-12-17 21:01 -------- d-----w- c:\program files\MSECache
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-11-21 16:36 . 2004-08-04 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 17:00 . 2006-07-28 17:15 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00 . 2006-07-28 17:15 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00 . 2009-11-06 17:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2003-04-08 15:12 . 2006-04-19 18:27 603 ----a-w- c:\program files\UIS.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-02-20 839680]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 397312]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-06 149280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-04 198160]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Zend\\ZendStudioClient-5.0.0\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:ePO (TCP)
"8081:UDP"= 8081:UDP:ePO (UDP)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [1/18/2010 11:57 PM 1201640]
S0 wjvw;wjvw;c:\windows\system32\drivers\mvdxo.sys --> c:\windows\system32\drivers\mvdxo.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-01-27 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7pi9x4nw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-01-27 20:33:53
ComboFix-quarantined-files.txt 2010-01-28 01:33

Pre-Run: 57,631,989,760 bytes free
Post-Run: 57,807,929,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2A01C4AAA041A27FB487B9AD0774B4F0

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:19 PM

Posted 28 January 2010 - 07:15 AM

Hello,

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Driver::
wjvw

File::
c:\windows\system32\drivers\mvdxo.sys

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Drunk Programmer

Drunk Programmer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 28 January 2010 - 05:16 PM

Ok, done.

Do you suggest that I disable Java Quick Starter? What would be the reason to do so?

Also, here is the log:


ComboFix 10-01-28.02 - Administrator 01/28/2010 16:51:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1476 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\system32\drivers\mvdxo.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_wjvw


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-28 18:56 . 2010-01-28 18:56 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 08:54 . 1997-10-29 02:57 20480 ----a-w- c:\windows\system32\KBDRUPH.DLL
2010-01-27 08:49 . 2010-01-27 08:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MSKLC
2010-01-27 08:49 . 2010-01-27 08:49 -------- d-----w- c:\program files\Microsoft Keyboard Layout Creator 1.4
2010-01-20 16:00 . 2010-01-20 16:00 -------- d-----w- c:\program files\CCleaner
2010-01-20 15:59 . 2004-08-12 13:17 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-20 15:59 . 2004-08-12 13:17 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-20 06:31 . 2010-01-20 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-20 06:31 . 2010-01-20 06:49 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-20 01:24 . 2010-01-20 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-19 23:47 . 2010-01-20 06:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2010-01-19 04:57 . 2010-01-19 04:57 -------- d-----w- c:\program files\MSSOAP
2010-01-19 04:56 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-19 04:55 . 2010-01-19 04:56 164 ----a-w- c:\windows\install.dat
2010-01-18 03:02 . 2010-01-18 03:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-18 03:01 . 2010-01-18 07:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 02:55 . 2010-01-18 02:55 -------- d-----w- c:\program files\Trend Micro
2010-01-16 09:12 . 2010-01-16 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-06 04:17 . 2010-01-28 18:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 01:16 . 2010-01-06 01:16 -------- d-----w- c:\windows\ServicePackFiles
2010-01-05 09:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 09:54 . 2010-01-05 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 09:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 09:25 . 2010-01-05 09:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2010-01-05 04:42 . 2010-01-05 04:42 -------- d-----w- c:\program files\VS Revo Group
2010-01-05 04:35 . 2010-01-05 04:38 -------- d-----w- c:\program files\Unlocker
2010-01-04 08:25 . 2010-01-04 08:25 -------- d-----w- C:\My Music
2010-01-04 08:21 . 2010-01-04 08:21 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 18:55 . 2006-04-19 18:20 -------- d-----w- c:\program files\Java
2010-01-28 15:44 . 2009-05-26 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-01-28 13:07 . 2009-05-26 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-01-27 08:49 . 2006-04-21 17:35 67088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 05:06 . 2006-07-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-04 08:22 . 2006-04-19 18:31 -------- d-----w- c:\program files\Common Files\Real
2009-12-23 09:39 . 2009-12-23 09:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-17 21:01 . 2009-12-17 21:01 -------- d-----w- c:\program files\MSECache
2009-11-21 16:36 . 2004-08-04 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 17:00 . 2006-07-28 17:15 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00 . 2006-07-28 17:15 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00 . 2009-11-06 17:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2003-04-08 15:12 . 2006-04-19 18:27 603 ----a-w- c:\program files\UIS.lnk
.

((((((((((((((((((((((((((((( SnapShot@2010-01-28_01.32.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-28 22:00 . 2010-01-28 22:00 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2006-04-19 14:36 . 2010-01-28 18:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-04-19 14:36 . 2010-01-27 18:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-04-19 14:36 . 2010-01-28 18:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-04-19 14:36 . 2010-01-27 18:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-28 18:55 . 2010-01-28 18:55 153376 c:\windows\system32\javaws.exe
+ 2010-01-28 18:55 . 2010-01-28 18:55 145184 c:\windows\system32\javaw.exe
- 2010-01-06 04:17 . 2010-01-06 04:16 145184 c:\windows\system32\javaw.exe
- 2010-01-06 04:17 . 2010-01-06 04:16 145184 c:\windows\system32\java.exe
+ 2010-01-28 18:55 . 2010-01-28 18:55 145184 c:\windows\system32\java.exe
- 2006-04-19 14:36 . 2010-01-27 18:35 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-04-19 14:36 . 2010-01-28 18:50 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-21 17:33 . 2006-05-10 13:33 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2006-04-21 17:33 . 2010-01-28 15:44 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-01-28 18:56 . 2010-01-28 18:56 178176 c:\windows\Installer\4ab96.msi
+ 2010-01-28 18:55 . 2010-01-28 18:55 577536 c:\windows\Installer\4ab91.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-02-20 839680]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 397312]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-04 198160]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Zend\\ZendStudioClient-5.0.0\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:ePO (TCP)
"8081:UDP"= 8081:UDP:ePO (UDP)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [1/18/2010 11:57 PM 1201640]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-01-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7pi9x4nw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Apoint\HidFind.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-01-28 17:09:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-28 22:09
ComboFix2.txt 2010-01-28 01:33

Pre-Run: 57,810,333,696 bytes free
Post-Run: 57,794,793,472 bytes free

- - End Of File - - 36FF8A1023826DB1266405F1D816855D

Edited by Drunk Programmer, 28 January 2010 - 05:18 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users