Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware infection, changed all my file names to .crypt extension


  • This topic is locked This topic is locked
3 replies to this topic

#1 farawayz

farawayz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 July 2012 - 10:12 PM

I came home the other day and unlocked my PC (I rarely use it) and saw a blue screen that could not minimize, etc that had the text pasted below. I did some searches on the net and used a combination Microsoft Security Essentials, MalwareBytes and HitManPro to attempt to remove it - I don't think I came close. It named a ton of files (photos, office docs, etc) with a .crypt extension, including those files on my dropbox!

I have two options:
1) If Dropbox can restore my files, then I think its best to just wipe the hard drive and start fresh. If I go this route, are there any steps I should take to ensure this hard drive is truly wiped? I would prefer not to, because I have no idea where my Windows 7 DVD is.
2) Get your wonderful and generous help!

Thanks so much in advance!

Ransomware Message Text
Our automated system Walter Copyright Active Protection (WCAP) detected Digital
Millennium Copyright Act (DMCA) infringement.

On your computer was found the evidences of illegal content use (audio, video, games,
software etc.) protected by the Copyright Law.

Your computer was BLOCKED; all important files were BLOCKED by means of AES
encryption methods.

After the payment of the penalty fee all non-paid content can be considered as ォLicensed".
You can unblock your computer and file by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $100 at the nearest store.

STEP 2: Send as an e-mail at wcapllc@yahoo.com. Indicate your WCAP ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you Unlock code once payment is verified. Your
computer will roll back to the ordinary state.

WARNING!!!: If you don稚 pay fine within 72 HOURS at the amount of 100.00 USD, all your
computer data will be deleted.

DDS Text:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by v at 22:02:59 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3063.1937 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\v\AppData\Local\Akamai\netsession_win.exe
C:\Users\v\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Users\v\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\v\AppData\Local\Akamai\netsession_win.exe
C:\Users\v\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\GmoteServer\GmoteServer.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Program Files\TechSmith\Snagit 10\TSCHelp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TechSmith\Snagit 10\snagiteditor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\v\AppData\Roaming\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local;<local>
uWindows: Load=c:\users\v\locals~1\temp\msealci.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Google Update] "c:\users\v\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "c:\users\v\appdata\local\akamai\netsession_win.exe"
uRun: [Fmoaof] c:\users\v\appdata\roaming\Fmoaof.exe
uRun: [Spotify Web Helper] "c:\users\v\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [vsdsrv] "c:\users\v\appdata\roaming\vsdsrv32.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\v\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\v\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\v\appdata\roaming\micros~1\windows\startm~1\programs\startup\gmotes~1.lnk - c:\program files\gmoteserver\GmoteServer.exe
StartupFolder: c:\users\v\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 10\Snagit32.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: db.com
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://us.dbrasweb.db.com/,DanaInfo=msgm2201.gslb.db.com,ST=1+/iNotes6W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://us.dbrasweb.db.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{583B7922-71BA-4166-8B6A-39B60D07ADFC} : DhcpNameServer = 192.168.0.1
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\v\appdata\roaming\mozilla\firefox\profiles\s0psjots.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\v\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\v\appdata\roaming\mozilla\firefox\profiles\s0psjots.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - plugin: c:\users\v\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\v\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-6 64512]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R1 MpKsl830e4340;MpKsl830e4340;c:\programdata\microsoft\microsoft antimalware\definition updates\{6e59f2ce-7e21-4f45-969d-99720f5d0f60}\MpKsl830e4340.sys [2012-7-1 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-30 654408]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\drivers\DLACPI.sys [2007-5-17 14656]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-30 22344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 250056]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\fxxandroidusb.sys [2010-3-30 25728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-6-30 27424]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-7 113120]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\fxx\qcusbser.sys [2010-3-30 103424]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-7-30 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-30 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-30 1343400]
.
=============== Created Last 30 ================
.
2012-07-01 17:18:47 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6e59f2ce-7e21-4f45-969d-99720f5d0f60}\offreg.dll
2012-07-01 17:18:47 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6e59f2ce-7e21-4f45-969d-99720f5d0f60}\MpKsl830e4340.sys
2012-07-01 17:15:56 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6e59f2ce-7e21-4f45-969d-99720f5d0f60}\mpengine.dll
2012-06-30 16:05:49 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-06-30 15:57:03 44544 ----a-w- c:\windows\system32\kcodk.exe
2012-06-30 15:50:36 -------- d-----w- c:\programdata\HitmanPro
2012-06-30 15:50:13 -------- d-----w- c:\users\v\appdata\roaming\Malwarebytes
2012-06-30 15:49:58 -------- d-----w- c:\programdata\Malwarebytes
2012-06-30 15:49:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 15:49:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-30 15:30:13 6762896 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-06-30 15:27:26 -------- d-----w- c:\users\v\appdata\local\Macromedia
2012-06-21 19:39:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 19:39:03 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 19:38:33 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 19:38:33 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 13:02:02 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-19 13:02:02 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-13 11:40:23 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{75027050-e7f4-4c13-9fb8-d771a8e25027}\gapaengine.dll
2012-06-13 03:19:42 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 03:19:42 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 03:19:40 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 03:19:39 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 03:19:38 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 03:19:38 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 03:19:37 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 03:19:36 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 03:19:31 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 03:19:30 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 03:19:30 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-10 13:51:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-10 04:59:14 5120 ----a-w- c:\windows\system32\wmi.dll
2012-06-10 04:59:14 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-06-10 04:59:14 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-06-10 04:59:14 159232 ----a-w- c:\windows\system32\imagehlp.dll
.
==================== Find3M ====================
.
2012-06-30 15:26:03 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 22:03:31.01 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-01 23:10:33
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK2555GSX rev.FG000D
Running: gmer.exe; Driver: C:\Users\v\AppData\Local\Temp\pxldypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A7E3C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB7D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\ptokx.sys The system cannot find the path specified. !
? C:\Users\v\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 B9D4C000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 B9D4C123 629 Bytes [75, D4, B9, FE, 05, 34, 75, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 B9D4C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F B9D4C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B B9D4C4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1540] ntdll.dll!LdrGetProcedureAddress + 26 777F2239 7 Bytes JMP 61F82B92 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1540] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76E593D6 7 Bytes JMP 6222A3A0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1540] kernel32.dll!QueryPerformanceCounter + 13 76E5C435 7 Bytes JMP 6222A3C3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1540] GDI32.dll!GetViewportOrgEx + 26C 7797884B 7 Bytes JMP 6222A321 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!GetWindowInfo 77054B5E 5 Bytes JMP 620FA42D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!ToUnicodeEx + 71 77062223 7 Bytes JMP 620FAA2C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateFile + 6 777D55CE 4 Bytes [28, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateFile + B 777D55D3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateKey + 6 777D560E 4 Bytes [68, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateKey + B 777D5613 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateMutant + 6 777D564E 4 Bytes [68, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateMutant + B 777D5653 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateSection + 6 777D56EE 4 Bytes [A8, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtCreateSection + B 777D56F3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtMapViewOfSection + B 777D5C33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenFile + 6 777D5CDE 4 Bytes [68, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenFile + B 777D5CE3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenKey + 6 777D5D0E 4 Bytes [A8, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenKey + B 777D5D13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenKeyEx + B 777D5D23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenMutant + 6 777D5D5E 4 Bytes [28, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenMutant + B 777D5D63 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcess + 6 777D5D8E 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcess + 6 777D5D8E 4 Bytes [68, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcess + B 777D5D93 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcessToken + 6 777D5D9E 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcessToken + 6 777D5D9E 4 Bytes [A8, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcessToken + B 777D5DA3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcessTokenEx + 6 777D5DAE 4 Bytes [68, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenProcessTokenEx + B 777D5DB3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenSection + B 777D5DD3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThread + 6 777D5E0E 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThread + 6 777D5E0E 4 Bytes [28, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThread + B 777D5E13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThreadToken + 6 777D5E1E 4 Bytes [28, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThreadToken + B 777D5E23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThreadTokenEx + 6 777D5E2E 4 Bytes [A8, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtOpenThreadTokenEx + B 777D5E33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtQueryAttributesFile + 6 777D5F3E 4 Bytes [A8, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtQueryAttributesFile + B 777D5F43 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtQueryFullAttributesFile + B 777D5FF3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtSetInformationFile + 6 777D663E 4 Bytes [28, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtSetInformationFile + B 777D6643 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtSetInformationThread + 6 777D669E 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtSetInformationThread + B 777D66A3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtUnmapViewOfSection + 6 777D69BE 4 Bytes [28, 05, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ntdll.dll!NtUnmapViewOfSection + B 777D69C3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] kernel32.dll!CreateProcessW 76E1204D 5 Bytes JMP 00010030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] kernel32.dll!CreateProcessA 76E12082 5 Bytes JMP 00010070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!DeleteObject 77975F14 5 Bytes JMP 001101B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SelectObject 77976640 5 Bytes JMP 001105F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetTextColor 77976906 5 Bytes JMP 001109F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetBkMode 779769B1 5 Bytes JMP 001108B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!DeleteDC 77976EAA 5 Bytes JMP 00110170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetDeviceCaps 77976F7F 5 Bytes JMP 001103B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!ExtSelectClipRgn 77977114 5 Bytes JMP 001102F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SelectClipRgn 77977242 5 Bytes JMP 001105B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetStretchBltMode 77977705 5 Bytes JMP 00110670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetCurrentObject 77977917 5 Bytes JMP 00110370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextMetricsW 77977B8F 5 Bytes JMP 00110DF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextAlign 77977DAF 5 Bytes JMP 00110D30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!IntersectClipRect 77977DFE 5 Bytes JMP 001103F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!ExtTextOutW 77978192 5 Bytes JMP 00110930
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetTextAlign 7797828E 5 Bytes JMP 001109B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetClipBox 77978525 5 Bytes JMP 00110330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!MoveToEx 77978C21 5 Bytes JMP 00110470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!StretchDIBits 7797A53E 5 Bytes JMP 00110730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!RestoreDC 7797A67B 5 Bytes JMP 00110530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SaveDC 7797A74B 5 Bytes JMP 00110570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextExtentPoint32W 7797B4B5 5 Bytes JMP 00110630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextFaceW 7797B73A 2 Bytes JMP 00110CF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextFaceW + 3 7797B73D 2 Bytes [79, 88] {JNS 0xffffffffffffff8a}
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetFontData 7797BCC4 5 Bytes JMP 00110C30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetWorldTransform 7797C90A 5 Bytes JMP 001106B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!CreateDCA 7797CCA9 5 Bytes JMP 001100B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!CreateDCW 7797CF79 5 Bytes JMP 001100F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!CreateICW 7797CFD0 5 Bytes JMP 00110130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextMetricsA 7797D0F2 5 Bytes JMP 00110DB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!Rectangle 7797F1FF 5 Bytes JMP 00110970
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!LineTo 7797F59B 5 Bytes JMP 00110430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetICMMode 7797FAA4 5 Bytes JMP 00110D70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!ExtTextOutA 779803F9 5 Bytes JMP 001108F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!ExtEscape 77982949 5 Bytes JMP 001102B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!Escape 77983939 5 Bytes JMP 00110270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetTextFaceA 77983E6A 5 Bytes JMP 00110CB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetPolyFillMode 7798D851 5 Bytes JMP 00110AF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SetMiterLimit 7798DA0D 5 Bytes JMP 00110B30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!EndPage 779900D7 5 Bytes JMP 00110230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!ResetDCW 7799050D 5 Bytes JMP 00110A70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!GetGlyphOutlineW 7799C1BA 5 Bytes JMP 00110C70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!CreateScalableFontResourceW 7799E817 5 Bytes JMP 00110B70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!AddFontResourceW 7799EC13 5 Bytes JMP 00110BB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!RemoveFontResourceW 7799F109 5 Bytes JMP 00110BF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!AbortDoc 779A4C63 5 Bytes JMP 00110030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!EndDoc 779A50AA 5 Bytes JMP 001101F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!StartPage 779A5195 5 Bytes JMP 001106F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!StartDocW 779A5BB0 5 Bytes JMP 001107B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!BeginPath 779A635D 5 Bytes JMP 001107F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!SelectClipPath 779A63B4 5 Bytes JMP 00110AB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!CloseFigure 779A640F 5 Bytes JMP 00110070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!EndPath 779A6466 5 Bytes JMP 00110A30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!StrokePath 779A6699 5 Bytes JMP 00110770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!FillPath 779A6726 5 Bytes JMP 00110830
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!PolylineTo 779A6B94 5 Bytes JMP 001104F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!PolyBezierTo 779A6C25 5 Bytes JMP 001104B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] GDI32.dll!PolyDraw 779A6CD7 5 Bytes JMP 00110870
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!ActivateKeyboardLayout 77048203 5 Bytes JMP 001204F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!ScreenToClient 7704A506 7 Bytes JMP 00120670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!RegisterClipboardFormatA 7704C091 5 Bytes JMP 001202F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!RegisterClipboardFormatW 7704DF8D 5 Bytes JMP 001202B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!SetCursor 77053075 5 Bytes JMP 00120530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!MonitorFromWindow 77053622 7 Bytes JMP 00120630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!PostMessageW 7705447B 5 Bytes JMP 001205F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!IsWindowVisible 77054D69 7 Bytes JMP 001206B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClientRect 770554DD 7 Bytes JMP 001205B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!MapWindowPoints 77055CAA 5 Bytes JMP 00120570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetParent 77056029 7 Bytes JMP 001206F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!EmptyClipboard 7706290C 5 Bytes JMP 00120130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!SetClipboardData 77062962 5 Bytes JMP 00120170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardData 77062BA7 5 Bytes JMP 00120030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardFormatNameW 77065FD2 5 Bytes JMP 00120230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!SetClipboardViewer 77066FF6 5 Bytes JMP 001204B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardFormatNameA 7706700A 5 Bytes JMP 00120270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!ChangeClipboardChain 7707147C 5 Bytes JMP 00120430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetTopWindow 770724D9 7 Bytes JMP 00120730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!CloseClipboard 7707446C 5 Bytes JMP 001200B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!OpenClipboard 7707447E 5 Bytes JMP 00120070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!IsClipboardFormatAvailable 770744FF 5 Bytes JMP 001200F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardSequenceNumber 77074513 5 Bytes JMP 00120330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardOwner 77074525 5 Bytes JMP 00120370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!CountClipboardFormats 7707470A 5 Bytes JMP 001201F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!EnumClipboardFormats 770747EC 5 Bytes JMP 001201B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetOpenClipboardWindow 7707480B 5 Bytes JMP 001203F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!SetCursorPos 7708C1B0 5 Bytes JMP 00120770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetClipboardViewer 770A4AF7 5 Bytes JMP 00120470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] USER32.dll!GetPriorityClipboardFormat 770A4BF9 5 Bytes JMP 001203B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ole32.dll!OleSetClipboard 772B0045 5 Bytes JMP 00130030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ole32.dll!OleIsCurrentClipboard 772B36B2 5 Bytes JMP 00130070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe[4548] ole32.dll!OleGetClipboard 772DFDCD 5 Bytes JMP 001300B0

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB22363$\2755651491 0 bytes
File C:\Windows\$NtUninstallKB22363$\3647049274 0 bytes
File C:\Windows\$NtUninstallKB22363$\3647049274\U 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Maurice Naggar, 04 July 2012 - 12:44 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:12 AM

Posted 04 July 2012 - 12:32 PM

Hello farawayz,

See this advisory on the Internet Crime Complaint Center regarding Citadel malware & Reveton ransomware
http://www.ic3.gov/media/2012/120530.aspx

Advise me if you have access to a clean computer system. You need to change all your online passwords (especially banking & CC ones) but only using a clean pc.

This system has some serious backdoor trojans, spyware, and possibly, a rookit.
This is a point where you need to decide about whether to make a clean start.
A backdoor trojan allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.
* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.
I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Let me know what you decide.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx
Consumers Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451
Rootkits: The Obscure Hacker Attack http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx
Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx
Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com/article2/0,1895,1945808,00.asp
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 farawayz

farawayz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 14 July 2012 - 12:35 PM

Maurice,
Apologies for the delayed respose and thank you so much for the reply and information.

That is scary, I'm going to take your most aggressive advice which is to contact all my banks/cards, etc and completely wipe the hard drive. I have no idea how I got all this stuff, I hardly use the PC and haven't gone to sketchy site in years, have a firewall and Anti-virus.

THANKS!!! I'm going to take action immediately. I will follow the posts you've suggested.

Thanks so much,

Farawayz

Edited by farawayz, 14 July 2012 - 01:39 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:12 AM

Posted 15 July 2012 - 10:59 AM

A wipe of the system is a wise choice.

Use this article as a reference How to Do a Clean Installation with Windows 7

Be sure a fresh new copy of your antivirus is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).
When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

Safer practices & malware prevention
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users