Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo


  • This topic is locked This topic is locked
39 replies to this topic

#16 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 16 February 2010 - 10:40 PM

Hi!

Okay, let's check to make sure it's copied. I'd like to do that before I run Avenger, just in case. Run systemlook again as I posted before, with the same command and post the log here.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


BC AdBot (Login to Remove)

 


#17 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 16 February 2010 - 10:59 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:43 on 16/02/2010 by Brandon Jenkins (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sy*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [03:59 04/08/2004] [03:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [05:57 20/05/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [07:44 16/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\I386\ATAPI.SY_ -----c 47242 bytes [00:51 28/04/2004] [12:00 31/03/2003] 4A425C994A72B0C6D7D19171A83EB78E
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [18:54 28/04/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys --a--c 86912 bytes [18:54 28/04/2004] [12:00 31/03/2003] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-

#18 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 16 February 2010 - 11:06 PM

Hi!

Doesn't look like it copied. Let's try it again with another batch file.
  1. Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    @echo off
    expand C:\WINDOWS\I386\ATAPI.SY_ c:\ >c:\log.txt
    cd\
    ren atapi.sy_ atapi.sys
    dir /a c:\atapi.sys >>c:\log.txt
    start c:\log.txt
    del %0
  2. Click File, then Save As... .
  3. Click Desktop on the left.
  4. Under the Save as type dropdown, select All Files.
  5. In the box File Name, input fix.bat
  6. Hit OK.
  7. Double click fix.bat. You will see a black command prompt window open then close. It might seem like nothing is happening, but the script is running.
  8. A text file will open up. Please copy and paste its contents into your next reply

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#19 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 16 February 2010 - 11:08 PM

Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding c:\windows\i386\atapi.sy_ to c:\atapi.sy_.
c:\windows\i386\atapi.sy_: 47242 bytes expanded to 86912 bytes, 83% increase.

Volume in drive C has no label.
Volume Serial Number is B4EB-7C2A

Directory of c:\

08/29/2002 01:27 AM 86,912 atapi.sys
1 File(s) 86,912 bytes
0 Dir(s) 1,407,774,720 bytes free


#20 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 16 February 2010 - 11:10 PM

Hello, mura.
That's perfect thumbup.gif

We can now proceed with the rest of the fix:
We need to run an Avenger script
  1. Download The Avenger by Swandog46 from here.
  2. Unzip/extract it to a folder on your desktop.
  3. Double click on avenger.exe.
  4. Click OK.
  5. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  6. Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C. Do not copy the word "code".
    CODE
    Files to move:
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  7. In the avenger window, click the Paste Script from Clipboard button.
  8. Click the Execute button.
  9. You will be asked Are you sure you want to execute the current script?.
  10. Click Yes.
  11. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  12. Click Yes.
  13. Your PC will now be rebooted.

    Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

  14. After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  15. Please post this log in your next reply.

NEXT:

We need to run an MBR scan
  1. Double click on MBR.exe, a window will flash briefly and a logfile named MBR.log should appear in your root directory. Please post the contents of that log in your next reply.

NEXT:

We need to run a GMER scan
  1. Close all other open programs as there is a slight chance your computer will crash.
  2. Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  3. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  4. Leaving the settings at default, click Scan.
  5. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Avenger Log
  • mbr.exe log
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#21 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 17 February 2010 - 01:49 AM

Whew, those GMER scans take forever.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x831f56a8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x825c4330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-17 01:46:08
Windows 5.1.2600 Service Pack 3
Running: 91i7mmwk.exe; Driver: C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\pxldqpog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEEC9987B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEEC997FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEEC998A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEEC9980F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEEC9983B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEEC998CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEEC997E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEEC9988F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEEC99825]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEEC99851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEEC99867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEEC998E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEEC998B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EEC998BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EEC997EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EEC9987F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EEC997FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EEC99893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EEC99855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EEC998E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EEC998D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EEC9986B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EEC9983F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EEC99813 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EEC998A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP EEC99829 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\tifmsony.sys entry point in "init" section [0xF88C0100]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF8067680]
? C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text c:\program files\common files\mcafee\mna\mcnasvc.exe[156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01E628F5
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E62781
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01E62873
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01E627B9
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E627F1
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[160] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F228F5
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[160] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F22781
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[160] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F22873
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[160] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F227B9
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[160] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F227F1
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011828F5
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01182781
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01182873
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011827B9
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011827F1
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F428F5
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F42781
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F42873
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F427B9
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F427F1
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02410F6D
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02410F88
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02410062
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02410FA5
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02410036
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02410F2B
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0241007D
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024100BA
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024100A9
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024100CB
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02410047
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02410011
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02410F5C
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02410098
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02400FDE
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02400F8D
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02400FEF
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0240001B
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02400F9E
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02400000
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02400040
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02400FC3
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023F0051
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 023F002C
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023F0011
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023F0FEF
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023F0FC6
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023F0000
.text C:\WINDOWS\system32\services.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 023D0FEF
.text C:\WINDOWS\system32\services.exe[916] WS2_32.dll!bind 71AB4480 5 Bytes JMP 023D000A
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 023E000A
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 023E0FE5
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 023E0FD4
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 023E001B
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F81
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10076
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F10F9E
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F10F64
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F100AC
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10F3F
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F100D8
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F100E9
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F10FAF
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F1009B
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F10025
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F100C7
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F00FB6
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F00FD1
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [10, 89]
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F00058
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0053
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF0042
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0FD2
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF0027
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F6D
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0062
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0F9E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0FC0
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F2B
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F52
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB00BA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB00A9
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DB0F06
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DB0FAF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DB007D
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DB0FD1
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DB0098
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA0F6B
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA0FCA
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0F7C
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DA0F8D
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [FA, 88]
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D9005A
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90049
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90FE3
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90038
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D9001D
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\svchost.exe[1112] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\svchost.exe[1112] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[1112] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00D80FB7
.text C:\WINDOWS\system32\svchost.exe[1112] WININET.dll!InternetOpenUrlW 771D5BA2 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1112] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00D80FA6
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F7C
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50071
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50060
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50039
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FBC
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E500A7
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F5F
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500EE
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E500D3
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E50F3A
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E50FA1
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E50096
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E5001E
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E50FCD
.text C:\WINDOWS\Explorer.EXE[1136] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E500B8
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E40F6B
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E40F7C
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E4000A
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E40F8D
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\Explorer.EXE[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30044
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30018
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30029
.text C:\WINDOWS\Explorer.EXE[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\Explorer.EXE[1136] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\Explorer.EXE[1136] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\Explorer.EXE[1136] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00D9000C
.text C:\WINDOWS\Explorer.EXE[1136] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017F28F5
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01810FE5
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!bind 71AB4480 5 Bytes JMP 01810000
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017F2781
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017F2873
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017F27B9
.text C:\WINDOWS\Explorer.EXE[1136] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017F27F1
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F52
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F63
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0F80
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB003D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F09
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F1A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0ED3
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0EEE
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DB0EB8
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DB0F9B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DB000A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DB0F37
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DB001B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DB006C
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA0039
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA0F97
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA0FDE
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0FB2
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DA0FC3
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [FA, 88]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA0054
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90F84
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90F95
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90FC1
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90FB0
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00D80FC8
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00D8001B
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02390FEF
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02390F75
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0239006A
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02390043
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02390F86
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02390FBC
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 023900AC
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 02390091
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [85]
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023900D8
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02390F3F
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02390F24
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02390FA1
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02390FDE
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02390F5A
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02390028
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02390FCD
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 023900BD
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0218002F
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0218005B
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02180FD4
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0218000A
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02180F9E
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02180FEF
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02180FB9
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [38, 8A]
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02180040
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02170075
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 02170050
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0217002E
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02170000
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0217003F
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0217001D
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02150000
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!bind 71AB4480 5 Bytes JMP 02150FDB
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02160FDE
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02160FEF
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 02160016
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 02160FC3
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00980000
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00980086
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00980F91
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0098005F
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0098004E
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00980FC0
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009800B2
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009800A1
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00980F2D
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00980F3E
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00980F1C
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0098003D
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0098001B
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00980F76
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0098002C
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00980FE5
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00980F4F
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00970036
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00970073
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00970FE5
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0097001B
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00970FB6
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00970000
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00970062
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00970047
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960FA6
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960031
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FD2
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0096000C
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960FC1
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FEF
.text C:\WINDOWS\System32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[1448] WS2_32.dll!bind 71AB4480 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00950FEF
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00950000
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00950025
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20F92
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B2007D
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B2006C
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B2005B
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B200BF
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B20F77
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B20F52
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B200EB
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B20106
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B2004A
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B200A2
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B20025
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B20014
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B200D0
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B10FDB
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B10011
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B10F6F
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B10F8A
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D1, 88]
.text C:\WINDOWS\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B10FAF
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00F9C
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B00FAD
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00FD9
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00FC8
.text C:\WINDOWS\system32\svchost.exe[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B0001D
.text C:\WINDOWS\system32\svchost.exe[1656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1656] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00AE0FDE
.text C:\WINDOWS\system32\svchost.exe[1656] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1656] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1656] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00AF001B
.text C:\WINDOWS\system32\svchost.exe[1656] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00AF0FC8
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012528F5
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01252781
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01252873
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012527B9
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012527F1
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00079
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00F84
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00FA1
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B0005E
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F49
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B0009B
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B000E2
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000D1
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B00F24
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B00FBC
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B0008A
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B0002F
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B000AC
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AF004A
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AF0039
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00AF0F8D
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AF0FA8
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0042
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0031
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FD2
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FC1
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C000C
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[2020] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018228F5
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[2020] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01822781
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[2020] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01822873
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[2020] ws2_32.dll!recv 71AB676F 5 Bytes JMP 018227B9
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[2020] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018227F1
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2040] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02BB28F5
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2040] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02BB2781
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2040] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02BB2873
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2040] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02BB27B9
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2040] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02BB27F1
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A5008E
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A5007D
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50FAF
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50051
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500D5
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500C4
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A50F46
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F57
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A50F35
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A50062
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A500B3
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A5002C
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A5001B
.text C:\WINDOWS\System32\svchost.exe[2252] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A50F68
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A40FB2
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A40FC3
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A40FDE
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A40043
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A40F97
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [C4, 88]
.text C:\WINDOWS\System32\svchost.exe[2252] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A40014
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30F97
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30FB2
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30022
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FCD
.text C:\WINDOWS\System32\svchost.exe[2252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30011
.text C:\WINDOWS\System32\svchost.exe[2252] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[2252] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00C5000A
.text C:\WINDOWS\System32\svchost.exe[2252] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\System32\svchost.exe[2252] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00C5001B
.text C:\WINDOWS\System32\svchost.exe[2252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[2252] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00C60014
.text C:\WINDOWS\System32\wdfmgr.exe[2916] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 006F28F5
.text C:\WINDOWS\System32\wdfmgr.exe[2916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006F2781
.text C:\WINDOWS\System32\wdfmgr.exe[2916] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 006F2873
.text C:\WINDOWS\System32\wdfmgr.exe[2916] WS2_32.dll!recv 71AB676F 5 Bytes JMP 006F27B9
.text C:\WINDOWS\System32\wdfmgr.exe[2916] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 006F27F1
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F61
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B003B
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F72
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F13
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F24
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0EDD
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0ECC
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F35
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3228] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0EF8
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0047
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\wuauclt.exe[3228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B005F
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B004E
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0033
.text C:\WINDOWS\system32\wuauclt.exe[3228] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0022

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000051 831F56A8
Device \Driver\ACPI \Device\00000052 831F56A8
Device \Driver\ACPI \Device\00000053 831F56A8
Device \Driver\ACPI \Device\00000054 831F56A8
Device \Driver\ACPI \Device\00000047 831F56A8
Device \Driver\ACPI \Device\00000055 831F56A8
Device \Driver\ACPI \Device\00000048 831F56A8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000056 831F56A8
Device \Driver\ACPI \Device\00000049 831F56A8
Device \Driver\ACPI \Device\00000070 831F56A8
Device \Driver\ACPI \Device\00000063 831F56A8
Device \Driver\ACPI \Device\00000057 831F56A8
Device \Driver\ACPI \Device\00000064 831F56A8
Device \Driver\ACPI \Device\00000058 831F56A8
Device \Driver\ACPI \Device\00000065 831F56A8
Device \Driver\ACPI \Device\00000059 831F56A8
Device \Driver\ACPI \Device\00000081 831F56A8
Device \Driver\ACPI \Device\00000082 831F56A8
Device \Driver\ACPI \Device\00000083 831F56A8
Device \Driver\ACPI \Device\0000004a 831F56A8
Device \Driver\ACPI \Device\00000084 831F56A8
Device \Driver\ACPI \Device\0000005a 831F56A8
Device \Driver\ACPI \Device\0000004d 831F56A8
Device \Driver\ACPI \Device\0000005b 831F56A8
Device \Driver\ACPI \Device\0000005c 831F56A8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\0000005d 831F56A8

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\0000005e 831F56A8
Device \Driver\ACPI \Device\0000006b 831F56A8
Device \Driver\ACPI \Device\0000006c 831F56A8
Device \Driver\ACPI \Device\0000006d 831F56A8
Device \Driver\ACPI \Device\0000006f 831F56A8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xFE 0x6D 0xDB ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x9D 0xA1 0xBD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x62 0xCA 0xC5 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xFE 0x6D 0xDB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x9D 0xA1 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0x30 0x84 0xDB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x34 0xAC 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xFE 0x6D 0xDB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x9D 0xA1 0xBD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0x30 0x84 0xDB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x34 0xAC 0x89 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xFE 0x6D 0xDB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x9D 0xA1 0xBD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0x30 0x84 0xDB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x34 0xAC 0x89 ...

---- EOF - GMER 1.0.15 ----


#22 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 17 February 2010 - 09:02 AM

Hello, mura.
Hehe... well, the good news is that we won't be needed GMER any more. Let's fix this MBR rootkit first, then scan your computer with an online scanner, just to make sure that we've got everything.

We need to run an MBR fix
  1. Make sure you have MBR.exe still in your root directory (usually C:\) and delete the MBR.log file. If you deleted MBR.exe, download it from here
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -f
  3. Press enter.
  4. An mbr.log should be created in your root directory. Please post its contents in your next reply.

NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 18 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply, please include the following:
  • mbr.exe log
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#23 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 February 2010 - 06:50 PM

Hi, aommaster. Sorry for the delay.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x831f56a8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x825c4330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !


;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-02-18 18:46:54
PROTECTIONS: 1
MALWARE: 49
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{7c559105-9ecf-42b8-b3f7-832e75edd959}
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00018457 adware/purityscan Adware No 0 Yes No hkey_classes_root\typelib\{46605c8c-d306-4e2d-b367-9b53690cb867}
00018457 adware/purityscan Adware No 0 Yes No hkey_classes_root\interface\{81eb72d7-3949-450f-b035-de599959814f}
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx1x.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx1.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx0.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\bargainbuddy
00020942 adware/exact.bargainbuddy Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{f4e04583-354e-4076-be7d-ed6a80fd66da}
00027660 adware/savenow Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{87766247-311c-43b4-8499-3d5fec94a183}
00032745 adware/sahagent Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{5f3b3060-09e0-44c6-86f7-bc7b02b57bee}
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\mediaaccx.installer
00034463 adware/wupd Adware No 0 Yes No hkey_local_machine\software\classes\mediaaccx.installer
00040064 adware/mediatickets Adware No 1 Yes No hkey_local_machine\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}
00040064 adware/mediatickets Adware No 1 Yes No hkey_classes_root\interface\{3e4c3e0b-6bbe-4c94-86ca-6f055a989693}
00040064 adware/mediatickets Adware No 1 Yes No hkey_classes_root\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\enum\root\legacy_wintoolssvc
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\enum\root\legacy_tbpssvc
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_tbpssvc
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_wintoolssvc
00040415 adware/wintools Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}
00040415 adware/wintools Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{6e21f428-5617-47f7-aed8-b2e1d8fba711}
00040415 adware/wintools Adware No 0 Yes No hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{8952a998-1e7e-4716-b23d-3dbe03910972}
00132447 adware program Adware No 0 Yes No c:\windows\ss3unstl.exe
00132447 adware program Adware No 0 Yes No hkey_current_user\software\ssb3
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.doubleclick.net/]
00145453 Cookie/Bfast TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.bfast.com/]
00145453 Cookie/Bfast TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.bfast.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.tribalfusion.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.perf.overture.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.perf.overture.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.burstnet.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s119579]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s146253]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s146253]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s119579]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s119579]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s146253]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s119579]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[statse.webtrendslive.com/s146253]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.realmedia.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.bluestreak.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.bluestreak.com/]
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[www.shopathomeselect.com/]
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[www.shopathomeselect.com/]
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[www.shopathomeselect.com/]
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[www.shopathomeselect.com/]
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No c:\documents and settings\helpassistant\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.valueclick.com/]
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No c:\documents and settings\brandon jenkins\application data\mozilla\profiles\default\3xucllkp.slt\cookies.txt[.valueclick.com/]
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp500\a0332730.sys
00958505 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329678.dll
00958505 Generic Malware Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\progra~1\aws\weathe~1\minibu~1.dll.vir
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No c:\documents and settings\brandon jenkins\local settings\application data\wildtangent\cdacache\00\00\16.dat
01675833 Trj/SMSlock.C Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp500\a0333738.exe
01937974 Generic Malware Virus/Trojan No 0 No No c:\windows\system32\faxpc.exe[plugin.dll]
02884470 Adware/SaveNow Adware No 0 Yes No c:\windows\system32\faxpc.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329690.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329688.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329685.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp500\a0331333.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0327865.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0323933.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0323932.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[zemeruwi.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[patafudi.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[natulevo.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[masigewu.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\windows\system32\spool\prtprocs\w32x86\617.tmp
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[lowepuza.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[kuwalobe.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[kudinuho.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[kotatada.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[hesudobu.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\zazuporo.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\tatoluya.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\foyorere.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hisakite.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\sizehawi.dll.vir
05898765 Trj/Nabload.DPS Virus/Trojan No 0 No No c:\documents and settings\brandon jenkins\desktop\combofix.exe[32788r22fwjfw\catchme.cfxxe]
05947417 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[yolufeta.dll]
05947782 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[tuhemasa.dll]
05948430 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp493\a0322746.dll
05949168 Generic Worm Virus/Worm No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp492\a0322697.dll
05949168 Generic Worm Virus/Worm No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[fulorepi.dll.tmp]
05949168 Generic Worm Virus/Worm No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[hikepohe.dll.tmp]
05949168 Generic Worm Virus/Worm No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp492\a0322698.dll
05949168 Generic Worm Virus/Worm No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp492\a0322699.dll
05949168 Generic Worm Virus/Worm No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[kumeweva.dll.tmp]
05951639 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[kohuhego.dll]
05952013 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hizemino.dll.vir
05952013 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329686.dll
05956330 Spyware/Virtumonde Spyware No 1 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[pawizipu.dll]
05956840 Spyware/Virtumonde Spyware No 1 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[povorika.dll]
05960729 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329689.dll
05960729 Spyware/Virtumonde Spyware No 1 Yes No c:\qoobox\quarantine\c\windows\system32\vivipedo.dll.vir
05961872 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp493\a0322745.dll
05963886 Spyware/Virtumonde Spyware No 1 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[womayovi.dll]
05963887 Spyware/Virtumonde Spyware No 1 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[wuyeligo.dll]
05964255 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp493\a0322744.dll
05964317 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[fayakelu.dll]
05964710 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[mikadazo.dll]
05964769 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[jepayala.dll]
05964882 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[mibewoja.dll]
05965535 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{be6d594a-9937-4757-9d7d-47f11c10fac3}\rp499\a0329681.dll
05965535 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\davupelu.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\program files\microsoft works\works source\setup.exe
No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[hesinewo.dll]
No c:\qoobox\quarantine\[4]-submit_2010-02-16_11.32.45.zip[suhowumu.dll]
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
216839 HIGH MS10-001
215938 HIGH MS09-072
215935 HIGH MS09-069
215048 HIGH MS09-065
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
203806 HIGH MS08-078
203508 HIGH MS08-073
201250 HIGH MS08-058
209273 HIGH MS08-045
;===================================================================================================================================================================================


#24 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 18 February 2010 - 06:55 PM

Hello, mura.
No worries about the delay smile.gif

We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



NEXT:

We need to run RootRepeal
  1. Download RootRepeal
  2. Extract RootRepeal.exe from the zip archive.
  3. Open RootRepeal on your desktop.
  4. Click the Report tab.
  5. Click the Scan button.
  6. Check all six boxes present (Drivers, Files, Processes, SSDT, Stealth Objects, Hidden Services)
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the Save Report button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


In your next reply, please include the following:
  • MBAM Log
  • RootRepeal Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#25 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 February 2010 - 09:52 PM

Hey, aommaster. I've treied running RootRepeal three times now, but it keeps freezing when I try to open the program. and then I have to manually restart my computer. It says "Initializing, please wait...." forever. what should I do?

#26 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 18 February 2010 - 10:41 PM

Hi!

Okay, let's skip the Rootrepeal for now, then. Please post up the MBAM log smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#27 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 February 2010 - 11:08 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3759
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/18/2010 7:41:51 PM
mbam-log-2010-02-18 (19-41-51).txt

Scan type: Quick Scan
Objects scanned: 128128
Time elapsed: 21 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\insertsmile.cosmileinsertor (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\insertsmile.cosmileinsertor.1 (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\outlooksmile.outlooksmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wordsmile.wordsmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e36e190-77f9-48a1-b0f3-5698425cee9b} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7961702e-4d6c-4578-982e-ddb0b0e58028} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0e010ce6-25f7-436f-baee-5a646b31b9bf} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6dd0bc06-4719-4ba3-bebc-fbae6a448152} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\InsertSmile.dll (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\OutlookSmile.OutlookSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\WordSmile.WordSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#28 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 18 February 2010 - 11:17 PM

Hello, mura.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    MBR::
    Quit::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to run an MBR scan
  1. Double click on MBR.exe, a window will flash briefly and a logfile named MBR.log should appear in your root directory. Please post the contents of that log in your next reply.

In your next reply, please include the following:
  • ComboFix.txt
  • mbr.exe log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#29 mura

mura
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 19 February 2010 - 12:36 AM

ComboFix 10-02-12.01 - Brandon Jenkins 02/18/2010 23:40:53.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.178 [GMT -5:00]
Running from: c:\documents and settings\Brandon Jenkins\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brandon Jenkins\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 00:14 . 2010-02-19 00:14 -------- d-----w- c:\documents and settings\Brandon Jenkins\Application Data\Malwarebytes
2010-02-19 00:13 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 00:13 . 2010-02-19 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 00:13 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 00:13 . 2010-02-19 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 18:09 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-17 18:08 . 2010-02-17 18:08 -------- d-----w- c:\program files\Panda Security
2010-02-17 18:04 . 2010-02-17 18:04 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 16:25 . 2010-02-16 16:25 77312 ----a-w- C:\mbr.exe
2010-02-15 23:28 . 2010-02-16 19:50 -------- d-----w- c:\program files\trend micro
2010-02-15 23:28 . 2010-02-15 23:29 -------- d-----w- C:\rsit
2010-02-11 03:52 . 2010-02-11 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-11 03:52 . 2010-02-11 03:52 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 18:04 . 2010-02-17 18:04 348160 ----a-w- c:\documents and settings\Brandon Jenkins\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1db43fa5-n\msvcr71.dll
2010-02-17 18:04 . 2010-02-17 18:04 61440 ----a-w- c:\documents and settings\Brandon Jenkins\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-264e16b9-n\decora-sse.dll
2010-02-17 18:04 . 2010-02-17 18:04 503808 ----a-w- c:\documents and settings\Brandon Jenkins\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1db43fa5-n\msvcp71.dll
2010-02-17 18:04 . 2010-02-17 18:04 499712 ----a-w- c:\documents and settings\Brandon Jenkins\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1db43fa5-n\jmc.dll
2010-02-17 18:04 . 2010-02-17 18:04 12800 ----a-w- c:\documents and settings\Brandon Jenkins\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-264e16b9-n\decora-d3d.dll
2010-02-17 18:03 . 2009-02-24 04:18 411368 -c--a-w- c:\windows\system32\deploytk.dll
2010-02-17 18:02 . 2009-06-21 16:39 -------- d-----w- c:\program files\Java
2010-02-14 21:40 . 2006-05-09 13:00 -------- d-----w- c:\documents and settings\Brandon Jenkins\Application Data\uTorrent
2010-02-12 12:29 . 2004-04-28 21:35 -------- d-----w- c:\program files\Symantec
2010-02-11 12:50 . 2004-04-28 21:29 -------- d-----w- c:\program files\Google
2010-02-11 00:46 . 2007-11-16 15:09 -------- d-----w- c:\program files\uTorrent
2010-01-23 22:17 . 2009-01-24 12:08 66624 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-01-18 15:22 . 2004-09-27 00:07 -------- d-----w- c:\program files\HP
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-26 335872]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2004-01-19 290816]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-02-13 98304]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2003-09-20 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="d:\my music\iTunesHelper.exe" [2009-09-09 305440]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brandon Jenkins^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Brandon Jenkins\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brandon Jenkins^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Brandon Jenkins\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wpwrvtom]
c:\windows\System32\n?svc32.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-05 00:24 28672 -c--a-w- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 380416 ----a-w- c:\windows\system32\irprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 -c--a-w- d:\daemon tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 -c--a-w- d:\hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 19:12 32768 -c--a-w- d:\program files\SONY\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 14:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 14:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-04-17 07:31 169256 -c--a-w- d:\onetouch status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2003-12-12 06:03 167936 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2004-01-17 10:36 135168 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"Maxtor Sync Service"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\My Music\\iTunes.exe"=
"d:\\My Crap\\Stuff\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Apoint\\ApntEx.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9916:TCP"= 9916:TCP:Services
"1956:TCP"= 1956:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"7925:TCP"= 7925:TCP:Services

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/17/2010 1:09 PM 28552]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [5/28/2004 4:53 PM 86098]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [4/27/2004 1:09 PM 37040]
S0 brqvpwug;brqvpwug;c:\windows\system32\drivers\khaznpdh.sys --> c:\windows\system32\drivers\khaznpdh.sys [?]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [9/14/2004 4:09 PM 6828]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-04-28 00:12]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-11-29 00:10]

2004-09-14 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-04-28 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - hxxp://www.mt-download.com/MediaTicketsInstaller.cab
FF - ProfilePath - c:\documents and settings\Brandon Jenkins\Application Data\Mozilla\Firefox\Profiles\23ltgfq1.default\
FF - plugin: d:\my music\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
d:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 00:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ATK0100\ATKOSD.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-19 00:32:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 05:32
ComboFix2.txt 2010-02-16 19:49
ComboFix3.txt 2010-02-16 17:15
ComboFix4.txt 2010-02-16 07:51

Pre-Run: 911,736,832 bytes free
Post-Run: 913,498,112 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BBB499B29300EE60A4974B40E050407C


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !


#30 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:24 PM

Posted 19 February 2010 - 12:44 AM

Hello, mura.
Looks good!

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    Driver::
    brqvpwug

    File::
    c:\windows\system32\drivers\khaznpdh.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

Are you still experiencing any problems?

In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users