Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Program running at startup which is invisble - Malware.ramnit?


  • This topic is locked This topic is locked
4 replies to this topic

#1 SueCB

SueCB

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:11:56 AM

Posted 11 September 2011 - 05:32 PM

Hello,

I hope someone can help me. MPC has a symptom in that a program C:\Documents and Settings\Susie\Local Settings\Application Data\jscsbfrw\rytflfbn.exe appears to be running at startup. Although I can see the directory jscsbfrw, there appear to be no files in it and when I try and delete the directory, I am not allowed to as apparently it is not empty. I've tried in a DOS box to run attrib -r -s -h rytflfbn.exe and it doesnt fall over with file not found, but still doesnt enable me to see the file.

According to the HijackThis log, the file is being run 3 times - which I think is indeed the case, as I did get it to fall over once, and it came up with the error message 3 times.

When I change the registry setting for userinit, it's changed straight back, if I edit the entry to change the drive letter, then the change sticks, but the filename is being appended again after another comma. I did try getting hijack this to fix the settings but the changes didnt stick. I assume it has infected something else, but have no idea what.

I am running PC Tools Spyware Doctor, and Malware Bytes (not at the same time), but I have disabled Spyware doctor for the purpose of trying to fix this. I have run Combofix as it's fixed a similar problem for me on a friend's computer in the past, but this time no luck. OS is XP Professional Service Pack 2.

Interestingly (or not) the computer which has the problem wont let me access any bleeping computer web page. Recently also the scheduled backups have failed for no reason that I can detect.

I am by trade a software developer, so I know I should know better, but this is now beyond my expertise.

Here is the DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Susie at 13:24:49 on 2011-09-11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1504.1071 [GMT 1:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 192.168.0.1:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\documents and settings\susie\local settings\application data\jscsbfrw\rytflfbn.exe
BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\DAPBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AJC Active Backup] "c:\program files\ajc software\ajc active backup\AJCActBk.exe" -Online
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RytFlfbn] c:\documents and settings\susie\local settings\application data\jscsbfrw\rytflfbn.exe
mRun: [SiSUSBRG] "c:\windows\sisUSBrg.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [ASUS Probe] "c:\program files\asus\probe\AsusProb.exe"
mRun: [UPS-Status] "c:\program files\belkin bulldog plus\UPS-Status.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\susie\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\documents and settings\susie\start menu\programs\startup\PowerReg Schedulermgr.exe
StartupFolder: c:\documents and settings\susie\start menu\programs\startup\rytflfbn.exe.ren
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dispat~1.lnk - c:\program files\reliable software\code co-op\Dispatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wetsock.lnk - c:\program files\robomagic\wetsock\wetsock.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Download with &DAP - c:\progra~1\dap\dapextie.htm
IE: Download &all with DAP - c:\progra~1\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178107061031
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38114.2423726852
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.16.2
TCP: Interfaces\{1857A21C-EFE1-48AE-B792-C35A3DD90300} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4A460D7F-6E17-43B1-A188-D7FDFA8A6990} : DhcpNameServer = 192.168.16.2
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\susie\application data\mozilla\firefox\profiles\bntwvlwd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-3 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-9-7 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-9-7 59664]
R1 CBUL32;Measurement Computing DataAcq;c:\windows\system32\drivers\CBUL32.sys [2009-1-22 54048]
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2011-7-28 25984]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-3 233136]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-19 47640]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\VPCAppSv.sys [2002-5-21 10374]
R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\vmware\vmware vcenter converter standalone\vstor2-mntapi10.sys [2009-2-5 22448]
R3 ENE;ENE;c:\windows\system32\drivers\EMCR7SK.sys [2004-5-5 75520]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\susie\locals~1\temp\ynuplfta.sys --> c:\docume~1\susie\locals~1\temp\ynuplfta.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-2-5 27312]
S3 Gisdnpci;ISDN PnP driver;c:\windows\system32\drivers\gisdnpnp.sys --> c:\windows\system32\drivers\gisdnpnp.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-2-3 70408]
S3 PORTMON;PORTMON;\??\c:\program files\portmonitor\portmsys.sys --> c:\program files\portmonitor\PORTMSYS.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-3 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-3 1141712]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-9-7 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.sys [2011-6-16 48384]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
S3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\USBSnoop.sys [2006-6-20 23972]
S3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\USBSnpys.sys [2006-6-20 92544]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 AcronisAgent;Acronis Remote Agent;"c:\program files\common files\acronis\agent\agent.exe" --> c:\program files\common files\acronis\agent\agent.exe [?]
S4 AcronisBackupServerService;Acronis Backup Server Service;"c:\program files\acronis\backupserver\backupserver.exe" --> c:\program files\acronis\backupserver\backupserver.exe [?]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-3 112592]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 TestComplete Service;TestComplete Service;c:\program files\automated qa\testcomplete 4\bin\TestCompleteService.exe [2007-4-17 246236]
S4 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-2-5 428592]
S4 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-2-5 428592]
.
=============== File Associations ===============
.
txtfile\shell\editwithsp\command="c:\program files\raize\scratchpad\ScratchPad.exe" "%1"
inifile\shell\editwithsp\command="c:\program files\raize\scratchpad\ScratchPad.exe" "%1"
.
=============== Created Last 30 ================
.
2011-09-10 10:44:22 -------- d-----w- c:\documents and settings\susie\local settings\application data\jscsbfrw
2011-09-10 09:57:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 09:57:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-09 11:27:43 -------- d-sha-r- C:\cmdcons
2011-09-09 10:12:30 505861 ----a-r- c:\documents and settings\susie\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-09 10:12:29 -------- d-----w- c:\program files\Trend Micro
2011-09-07 17:41:08 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-09-07 17:41:08 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-09-07 17:41:08 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-09-07 12:38:35 -------- d-----w- c:\documents and settings\susie\local settings\application data\PackageAware
2011-09-01 13:11:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-07-28 17:05:48 25984 ------w- c:\windows\system32\drivers\VSPE.sys
2011-06-29 13:23:08 2560 ------w- c:\windows\_MSRSTRT.EXE
2011-06-13 15:17:47 249856 ------w- c:\windows\Setup1.exe
2011-06-13 15:17:46 73216 ------w- c:\windows\ST6UNST.EXE
.
============= FINISH: 13:25:47.31 ===============


And the GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-11 23:13:16
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c Maxtor_6Y080L0 rev.YAR41BW0
Running: m96tcntb.exe; Driver: C:\DOCUME~1\Susie\LOCALS~1\Temp\uxdyypob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\DOCUME~1\Susie\LOCALS~1\Temp\ynuplfta.sys ZwCreateKey [0xF78216AC]
SSDT \??\C:\DOCUME~1\Susie\LOCALS~1\Temp\ynuplfta.sys ZwOpenKey [0xF7821562]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\DRIVERS\VPCPOWER.SYS entry point in "init" section [0xF79394A0]
? C:\DOCUME~1\Susie\LOCALS~1\Temp\ynuplfta.sys The system cannot find the file specified. !
? C:\DOCUME~1\Susie\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\alg.exe[236] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\System32\alg.exe[236] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\System32\alg.exe[236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\System32\alg.exe[236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\System32\alg.exe[236] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
? C:\WINDOWS\system32\services.exe[792] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: SCESRV.dllunknown module: umpnpmgr.dllunknown module: NCObjAPI.DLL
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\services.exe[792] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!send 71AB428A 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!recv 71AB615A 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 200B15B9
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!send 71AB428A 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!recv 71AB615A 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 200B15B9
? C:\WINDOWS\system32\svchost.exe[968] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
? C:\WINDOWS\system32\svchost.exe[1036] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
? C:\WINDOWS\System32\svchost.exe[1132] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\System32\svchost.exe[1132] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpOpenRequestA 771C36AD 5 Bytes JMP 202E2921
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetCloseHandle 771C4D6C 5 Bytes JMP 202E1EC1
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 202E297B
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpSendRequestA 771C6249 5 Bytes JMP 202E1E2D
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetReadFile 771C80F4 5 Bytes JMP 202E2866
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpSendRequestExW 771CE9C1 5 Bytes JMP 202E1DA1
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpOpenRequestW 771CF3F9 5 Bytes JMP 202E294E
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 202E29A2
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 202E2547
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetReadFileExW 771F7459 5 Bytes JMP 202E274B
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetWriteFile 771F7C19 5 Bytes JMP 202E1E94
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetReadFileExA 771F8160 5 Bytes JMP 202E26A4
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpSendRequestW 77211D24 5 Bytes JMP 202E1E62
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!HttpSendRequestExA 77211E29 5 Bytes JMP 202E1DE7
? C:\WINDOWS\System32\svchost.exe[1204] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 200A9E20
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 200B5741
.text C:\WINDOWS\System32\svchost.exe[1204] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 200B11A9
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 200B14D3
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!send 71AB428A 5 Bytes JMP 200B115B
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 200B1630
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!recv 71AB615A 5 Bytes JMP 200B1464
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 200B1548
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 200B17EC
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 200B170B
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 200B15B9
? C:\WINDOWS\system32\svchost.exe[1320] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpOpenRequestA 771C36AD 5 Bytes JMP 202E2921
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetCloseHandle 771C4D6C 5 Bytes JMP 202E1EC1
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 202E297B
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpSendRequestA 771C6249 5 Bytes JMP 202E1E2D
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetReadFile 771C80F4 5 Bytes JMP 202E2866
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpSendRequestExW 771CE9C1 5 Bytes JMP 202E1DA1
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpOpenRequestW 771CF3F9 5 Bytes JMP 202E294E
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 202E29A2
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 202E2547
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetReadFileExW 771F7459 5 Bytes JMP 202E274B
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetWriteFile 771F7C19 5 Bytes JMP 202E1E94
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetReadFileExA 771F8160 5 Bytes JMP 202E26A4
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpSendRequestW 77211D24 5 Bytes JMP 202E1E62
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!HttpSendRequestExA 77211E29 5 Bytes JMP 202E1DE7
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpOpenRequestA 771C36AD 5 Bytes JMP 202E2921
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetCloseHandle 771C4D6C 5 Bytes JMP 202E1EC1
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 202E297B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpSendRequestA 771C6249 5 Bytes JMP 202E1E2D
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetReadFile 771C80F4 5 Bytes JMP 202E2866
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpSendRequestExW 771CE9C1 5 Bytes JMP 202E1DA1
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpOpenRequestW 771CF3F9 5 Bytes JMP 202E294E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 202E29A2
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 202E2547
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetReadFileExW 771F7459 5 Bytes JMP 202E274B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetWriteFile 771F7C19 5 Bytes JMP 202E1E94
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!InternetReadFileExA 771F8160 5 Bytes JMP 202E26A4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpSendRequestW 77211D24 5 Bytes JMP 202E1E62
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1344] WININET.dll!HttpSendRequestExA 77211E29 5 Bytes JMP 202E1DE7
.text C:\WINDOWS\system32\spoolsv.exe[1476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\system32\spoolsv.exe[1476] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\system32\spoolsv.exe[1476] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\system32\spoolsv.exe[1476] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1608] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\WINDOWS\SOUNDMAN.EXE[1684] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\SOUNDMAN.EXE[1684] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 200A9E20
.text C:\WINDOWS\SOUNDMAN.EXE[1684] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 200B5741
.text C:\WINDOWS\SOUNDMAN.EXE[1684] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
? C:\WINDOWS\System32\svchost.exe[1748] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\System32\svchost.exe[1748] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
? C:\WINDOWS\Explorer.EXE[1852] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: OLEAUT32.dllunknown module: BROWSEUI.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\WINDOWS\Explorer.EXE[1852] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpOpenRequestA 771C36AD 5 Bytes JMP 202E2921
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetCloseHandle 771C4D6C 5 Bytes JMP 202E1EC1
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 202E297B
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpSendRequestA 771C6249 5 Bytes JMP 202E1E2D
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetReadFile 771C80F4 5 Bytes JMP 202E2866
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpSendRequestExW 771CE9C1 5 Bytes JMP 202E1DA1
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpOpenRequestW 771CF3F9 5 Bytes JMP 202E294E
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 202E29A2
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 202E2547
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetReadFileExW 771F7459 5 Bytes JMP 202E274B
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetWriteFile 771F7C19 5 Bytes JMP 202E1E94
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetReadFileExA 771F8160 5 Bytes JMP 202E26A4
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpSendRequestW 77211D24 5 Bytes JMP 202E1E62
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!HttpSendRequestExA 77211E29 5 Bytes JMP 202E1DE7
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 202E11A9
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 202E14D3
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!send 71AB428A 5 Bytes JMP 202E115B
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 202E1630
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!recv 71AB615A 5 Bytes JMP 202E1464
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 202E1548
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 202E17EC
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 202E170B
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 202E15B9
.text C:\Documents and Settings\Susie\Desktop\m96tcntb.exe[1872] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 203258C5
.text C:\Documents and Settings\Susie\Desktop\m96tcntb.exe[1872] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 20319E20
.text C:\Documents and Settings\Susie\Desktop\m96tcntb.exe[1872] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 20325741
.text C:\Documents and Settings\Susie\Desktop\m96tcntb.exe[1872] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 203205B7
.text C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe[2064] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 202E58C5
.text C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe[2064] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 202D9E20
.text C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe[2064] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 202E5741
.text C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe[2064] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 202E05B7
.text C:\WINDOWS\system32\svchost.exe[2160] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 200658C5
.text C:\WINDOWS\system32\svchost.exe[2160] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 20059E20
.text C:\WINDOWS\system32\svchost.exe[2160] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 20065741
.text C:\WINDOWS\system32\svchost.exe[2160] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200605B7
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!sendto 71AB2C69 5 Bytes JMP 200611A9
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 200614D3
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!send 71AB428A 5 Bytes JMP 2006115B
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 20061630
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!recv 71AB615A 5 Bytes JMP 20061464
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 20061548
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 200617EC
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!WSARecvFrom 71ABF652 5 Bytes JMP 2006170B
.text C:\WINDOWS\system32\svchost.exe[2160] ws2_32.dll!WSASendTo 71AC0A95 5 Bytes JMP 200615B9
.text C:\WINDOWS\regedit.exe[4048] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 203258C5
.text C:\WINDOWS\regedit.exe[4048] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 20319E20
.text C:\WINDOWS\regedit.exe[4048] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 20325741
.text C:\WINDOWS\regedit.exe[4048] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 203205B7

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\RAdmin\v2.0
Reg HKLM\SYSTEM\RAdmin\v2.0\
Reg HKLM\SYSTEM\RAdmin\v2.0\
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\17 ???????
Reg HKLM\SYSTEM\RAdmin\v2.0\
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\17 ???????
Reg HKLM\SYSTEM\RAdmin\v2.0\
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\t 0xAC 0x1D 0x3E 0x20 ...
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\n 1
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\f\1 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\RAdmin\v2.0\
Reg HKLM\SYSTEM\RAdmin\v2.0\@\0\0\17 ???????

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215136.exe 901632 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215137.exe 583168 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215138.exe 380928 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215139.exe 617472 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215140.exe 524288 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215141.EXE 1940992 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215142.exe 2589696 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215143.exe 2385408 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215144.exe 2607616 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215145.exe 531456 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215146.dll 547328 bytes
File C:\System Volume Information\_restore{31A3D66E-BD17-42A6-BE57-791B30662021}\RP1388\A0215147.exe 2201088 bytes
File C:\Documents and Settings\Susie\Local Settings\Application Data\jscsbfrw\rytflfbn.exe 114738 bytes executable
File C:\Documents and Settings\Susie\Local Settings\Application Data\jscsbfrw\rytflfbn.exe.ren 114738 bytes executable
File C:\Documents and Settings\Susie\Local Settings\Application Data\jscsbfrw\rytflfbn.exe.ren.ren 114738 bytes executable

---- EOF - GMER 1.0.15 ----

Thanks in anticipation.
Susie

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:56 PM

Posted 16 September 2011 - 03:34 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 SueCB

SueCB
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:11:56 AM

Posted 18 September 2011 - 11:59 AM

Hi Elle,

Thanks very much for your reply. Since originally posting the information I've managed, with a lot of trial and error, to move on a bit.

I watched Mark Russinovitch's anti-malware video from Teched 2006, and that gave me some ideas. I've used a combination of Process Explorer and Autorun from SysInternals and IceSword, to get to a point where I could actually delete the rogue files. I discovered that a program called ExplorerMgr was launching 2 srvhost processes. If I suspended the processes (deleting it caused immediate re-creation) I was then able to use IceSword to fix the hijacked function calls in explorer, NT Kernel and other system processes. Once the explorer was fixed, I could delete the rogue files. Once the hijacked registry access functions were fixed, I could fix the registry entries for HKLM...userinit and the autorun ones. I also deleted pretty much everything on the machine with was called *mgr.exe as they appeared to be new executables which were the launchpad for the malware. Doing a binary comparison of a couple of directories on the PC with the same directory on another machine showed that most of the executables had a chunk of stuff appended to the end which wasn't there in the original.

Fascinatingly also, there were a load of temporary files in docs and settings\user\local files\temp and application data which when loaded into notepad or a hex editor, gave me clues as to where to look for malware.

Once I'd done the above. I was able to update the machine to XP Service Pack 3, and that enabled me to load the latest version of BitDefender 2012 (selected for it's high rating and Linux rescue mode). To my great suprise, BitDefender actually disinfected most of the problem files (it said they were Malware.Ramnit.N) and quarantined a few others. I had manually fixed what I could using BeyondCompare across the network to replace infected files, but I expected to loose the rest and have to reinstall so that was a pleasant suprise after a frustrating week.

I'm not completely sure that the machine is totally clean yet. But I'm going to investigate BitDefender's Rescue Mode next as it will hopefully enable any underlying Windows issues to be fixed.

I would like to post the DDS and GMER logs for you to give me a second opinion, but I'm heading out to Ireland for a week, so I won't be able to progress this until I get back. If you'd like to give me any pointers of things I may have missed/need to do next, I can do some research while I'm away.

With thanks
Best regards
Susie

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:56 PM

Posted 20 September 2011 - 09:32 AM

Hi,




I'm afraid I have very bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smrgsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).







Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:56 PM

Posted 27 September 2011 - 03:17 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users