Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected; AntiVirus Plus and more [Closed]

Started by Kyman73 , Jan 24 2010 04:28 PM

  • This topic is locked This topic is locked

#1
Kyman73
Posted 24 January 2010 - 04:28 PM

Kyman73

    New Member

  • Member
  • Pip
  • 1 posts
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
A quick synopsis of the issues on the computer:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

  • Fake Anti-virus scans / popups from rundll.exe and iexplore.exe
  • Took administrative rights away from all users
  • Blocks install and locks executables of Malewarebytes, Avast, and Hijack This unless I rename them before running.
  • Doesn't allow virus scans to complete


I was unable to run an OTL scan, the scan freezes when "Checking service: hkmsvc". I have tried renaming the executable and running a normal and quick scan with / without the special parameters.


I hope this can suffice

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Hijack This Log
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:14 PM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Mom\Application Data\SystemProc\lsass.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\smss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.adbsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: C:\WINDOWS\system32\hg2jl.dll - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\hg2jl.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Mirar - {74648C98-B6B2-443C-883C-50139F4622E4} - C:\WINDOWS\system32\9c78.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll", start 70700
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WhereSphere] C:\Documents and Settings\Owner\Application Data\WhereSphere\wheresphere.exe
O4 - HKCU\..\Run: [SfKg6wIPuS] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\oulwsv.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll", start 70700
O4 - HKCU\..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\DOCUME~1\Owner\LOCALS~1\Temp\bmttl9mxn.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Owner\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [extrac64_cab.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\extrac64_cab.exe
O4 - HKCU\..\Run: [BMIMZMHMFM] C:\DOCUME~1\Owner\LOCALS~1\Temp\Wk0.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Mom\Application Data\SystemProc\lsass.exe
O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251833108406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251837210578
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC7EB7FB-EA6D-4578-A0DF-AB68140E1F37}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll,rulisofo.dll
O21 - SSODL: pumazurun - {3bcf88b0-b4d0-421a-ab7b-0d850c350a4d} - c:\windows\system32\wakosoli.dll (file missing)
O22 - SharedTaskScheduler: lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\hg2jl.dll
O22 - SharedTaskScheduler: kupuhivus - {3bcf88b0-b4d0-421a-ab7b-0d850c350a4d} - c:\windows\system32\wakosoli.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7000 bytes



$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
GMER Log:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-24 18:25:09
Windows 5.1.2600 Service Pack 3
Running: fvgh.exe; Driver: C:\DOCUME~1\Mom\LOCALS~1\Temp\kxadafob.sys


---- System - GMER 1.0.15 ----

Code 8996C2B8 ZwEnumerateKey
Code 8998D430 ZwFlushInstructionCache
Code 89982616 IofCallDriver
Code 8998968E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8998261B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 89989693
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC6 5 Bytes JMP 8998D434
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB72 5 Bytes JMP 8996C2BC

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F2BEC8
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F2BEB3
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F2BEAC
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F2BCC8
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F2BCC1
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00F2BEC1
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F2BECF
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F2BB2C
.text C:\WINDOWS\System32\alg.exe[204] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00F2BEBA
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0165BEC8
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0165BEB3
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0165BEAC
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0165BCC8
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0165BCC1
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 0165BEC1
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0165BECF
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0165BB2C
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 0165BEBA
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013FBEC8
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013FBEB3
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013FBEAC
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013FBCC8
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013FBCC1
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 013FBEC1
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013FBECF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 013FBB2C
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 013FBEBA
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0115BEC8
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0115BEB3
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0115BEAC
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0115BCC8
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0115BCC1
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 0115BEC1
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0115BECF
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0115BB2C
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 0115BEBA
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01DFBEC8
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01DFBEB3
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01DFBEAC
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01DFBCC8
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01DFBCC1
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 01DFBEC1
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01DFBECF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01DFBB2C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 01DFBEBA
.text C:\WINDOWS\system32\svchost.exe[948] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 034B000A
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0136BEC8
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0136BEB3
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0136BEAC
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0136BCC8
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0136BCC1
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 0136BEC1
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0136BECF
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0136BB2C
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 0136BEBA
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05CABEC8
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05CABEB3
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05CABEAC
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05CABCC8
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05CABCC1
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 05CABEC1
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05CABECF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 05CABB2C
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 05CABEBA
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0102BEC8
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0102BEB3
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0102BEAC
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102BCC8
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0102BCC1
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 0102BEC1
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102BECF
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0102BB2C
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 0102BEBA
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F1BEC8
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F1BEB3
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F1BEAC
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F1BCC8
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F1BCC1
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00F1BEC1
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F1BECF
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F1BB2C
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00F1BEBA
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012FBEC8
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012FBEB3
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012FBEAC
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012FBCC8
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012FBCC1
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 012FBEC1
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012FBECF
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 012FBB2C
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 012FBEBA
.text C:\WINDOWS\system32\spoolsv.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F1BEC8
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F1BEB3
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F1BEAC
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F1BCC8
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F1BCC1
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00F1BEC1
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F1BECF
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F1BB2C
.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00F1BEBA
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012ABEC8
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012ABEB3
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012ABEAC
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012ABCC8
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012ABCC1
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 012ABEC1
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012ABECF
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 012ABB2C
.text C:\WINDOWS\system32\nvsvc32.exe[1684] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 012ABEBA
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00376294
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003764C5
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 00376476
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003762DA
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003764EC
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00376314
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003763EA
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E0000A
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F2BEC8
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F2BEB3
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F2BEAC
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F2BCC8
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F2BCC1
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00F2BEC1
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F2BECF
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F2BB2C
.text C:\WINDOWS\vVX3000.exe[2316] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00F2BEBA
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00376294
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003764C5
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 00376476
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003762DA
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003764EC
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00376314
.text C:\WINDOWS\system32\ctfmon.exe[2432] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003763EA
.text C:\WINDOWS\system32\ctfmon.exe[2432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E0000A
? C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] IMAGE_DOS_SIGNATURE not found;
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D3BEC8
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D3BEB3
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D3BEAC
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D3BCC8
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D3BCC1
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00D3BEC1
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3BECF
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00D3BB2C
.text C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00D3BEBA
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 003D6294
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003D64C5
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 003D6476
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003D62DA
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003D64EC
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 003D6314
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003D63EA
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01ADBEC8
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01ADBEB3
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01ADBEAC
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01ADBCC8
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01ADBCC1
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 01ADBEC1
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01ADBECF
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01ADBB2C
.text C:\Documents and Settings\Mom\Desktop\gmer\fvgh.exe[2652] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 01ADBEBA
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DEBEC8
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DEBEB3
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DEBEAC
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DEBCC8
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DEBCC1
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 00DEBEC1
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DEBECF
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00DEBB2C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2836] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 00DEBEBA
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00366294
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003664C5
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 00366476
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003662DA
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003664EC
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00366314
.text C:\WINDOWS\explorer.exe[2916] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003663EA
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E6BEC8
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E6BEB3
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E6BEAC
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E6BCC8
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E6BCC1
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 02E6BEC1
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E6BECF
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 02E6BB2C
.text C:\WINDOWS\explorer.exe[2916] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 02E6BEBA
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04B7BEC8
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04B7BEB3
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04B7BEAC
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04B7BCC8
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04B7BCC1
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!SearchPathW 7C80E77C 5 Bytes JMP 04B7BEC1
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04B7BECF
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 04B7BB2C
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] kernel32.dll!SearchPathA 7C8217EA 5 Bytes JMP 04B7BEBA
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35201B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F63 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F9D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352091 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352253 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0099600F
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00995DE8
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00995F67
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00995E5B
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00995ECD
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!HttpAddRequestHeadersA 3D94632F 5 Bytes JMP 012E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!HttpOpenRequestA 3D94AA7B 2 Bytes JMP 013C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!HttpOpenRequestA + 3 3D94AA7E 2 Bytes [A7, C3] {CMPSD ; RET }
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 013E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 013D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!HttpOpenRequestW 3D94C49A 5 Bytes JMP 013B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] WININET.dll!HttpAddRequestHeadersW 3D9AA4C5 5 Bytes JMP 013A000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!WriteFile] EB08C583
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!WideCharToMultiByte] 448B5027
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetProcessHeap] C9E81424
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetCurrentThreadId] 89FFFFF3
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 58142444
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetModuleHandleA] C0D3E58A
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!FreeResource] 00FFFF25
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetOEMCP] 80D9F600
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!InterlockedDecrement] EDD208C1
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!Sleep] 08C583DD
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!MapViewOfFile] 0B10C3C1
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetShortPathNameA] 93794AD8
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!HeapDestroy] FC24848B
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetCPInfo] C7000004
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!FindFirstFileW] 00000840
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!DisableThreadLibraryCalls] 01B80000
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetStartupInfoA] 5D000000
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!SetConsoleCP] 815F5E5B
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetACP] 0004E8C4
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetThreadLocale] 0004C200
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!IsDebuggerPresent] EFEBC033
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetCommandLineW] 5356F8C4
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetFileAttributesA] 08758B57
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!ExitProcess] C933C033
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetVersion] 8A10468A
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetDiskFreeSpaceA] 808A114E
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetCurrentProcessId] 00409F30
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!LocalAlloc] 7E80E1F7
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!SetStdHandle] 1A740112
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GetTickCount] 07A926F7
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!VirtualProtect] 74000000
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!SystemTimeToFileTime] 08C08303
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [KERNEL32.DLL!GlobalLock] 4003E8C1
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!iswdigit] C2C95E5B
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!memset] 45C70004
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!strncmp] 000000FC
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!_cexit] 33F88B00
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!__dllonexit] B2D233DB
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!wcsrchr] 04468B7F
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!_initterm] F8830E8B
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!_onexit] 83077205
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [MSVCRT.DLL!_lock] 027205F9
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [ADVAPI32.DLL!RegCloseKey] 00409FFD
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [ADVAPI32.DLL!InitializeSecurityDescriptor] A0029022
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [ADVAPI32.DLL!RegEnumKeyW] 55890040
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [ADVAPI32.DLL!QueryServiceStatus] F845F7F8
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!MessageBoxA] D8F7E0D3
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!MessageBeep] 8B8A0603
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!GetFocus] 0040A008
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!UnregisterClassW] 40E8D348
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!GetMessageA] 07A9E7F7
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!ClientToScreen] 74000000
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [USER32.DLL!EndDialog] 08C08303
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [GDI32.DLL!GetClipBox] 02FB8350
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [GDI32.DLL!GetObjectW] FB831574
IAT C:\DOCUME~1\Mom\LOCALS~1\Temp\services.exe[2448] @ c:\docume~1\mom\locals~1\temp\services.exe [OLE32.DLL!CoRegisterMallocSpy] 127406FB

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTvtniqjlhmv.sys (*** hidden *** ) B5635000-B5651000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [692] 0x00180000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1060] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1116] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1160] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1328] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1392] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1564] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1620] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1804] 0x00B70000
Library \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3040] 0x01410000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTvtniqjlhmv.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTvtniqjlhmv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTvtniqjlhmv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTkxdqjnkkaw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkxxnhrgbkq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTmujwkdyevn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTkcyprmoips.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTvtniqjlhmv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTvtniqjlhmv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTkxdqjnkkaw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkxxnhrgbkq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTmujwkdyevn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTvsaatyalrv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTkcyprmoips.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 1012 bytes
File C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll 16673 bytes
File C:\Documents and Settings\Owner\Local Settings\Temp\H8SRT4503.tmp 17408 bytes executable
File C:\Documents and Settings\Owner\Local Settings\Temp\H8SRT4d12.tmp 51712 bytes executable
File C:\Documents and Settings\Owner\Local Settings\Temp\H8SRT4d41.tmp 343040 bytes executable
File C:\Documents and Settings\Owner\Local Settings\Temp\H8SRTd4ef.tmp 69632 bytes executable
File C:\Documents and Settings\Owner\Local Settings\Temp\h8srtmainqt.dll 16431 bytes
File C:\Program Files\AnvSoft\Any Video Converter\mplayer\config 428 bytes
File C:\Program Files\Steam\config 0 bytes
File C:\Program Files\Steam\config\coplay_76561197999586718.vdf 2652 bytes
File C:\Program Files\Steam\config\dialogconfig.vdf 4980 bytes
File C:\Program Files\Steam\config\dialogconfigoverlay_1024x768.vdf 866 bytes
File C:\Program Files\Steam\config\dialogconfigoverlay_640x480.vdf 818 bytes
File C:\Program Files\Steam\config\ingamedialogconfig.vdf 1642 bytes
File C:\Program Files\Steam\config\MasterServers.vdf 1006 bytes
File C:\Program Files\Steam\config\serverbrowser.vdf 1805 bytes
File C:\Program Files\Steam\config\shortcuts.vdf 13 bytes
File C:\Program Files\Steam\config\SteamAppData.vdf 189 bytes
File C:\WINDOWS\system32\drivers\H8SRTvtniqjlhmv.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\mshlps.dll 3072 bytes executable
File C:\WINDOWS\system32\H8SRTkcyprmoips.dll 40960 bytes executable
File C:\WINDOWS\system32\H8SRTkxdqjnkkaw.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRTkxxnhrgbkq.dat 248 bytes
File C:\WINDOWS\system32\H8SRTmujwkdyevn.dll 40960 bytes executable
File C:\WINDOWS\system32\h8srtshsyst.dll 1572 bytes
File C:\WINDOWS\system32\H8SRTvsaatyalrv.dll 16896 bytes executable
File C:\WINDOWS\system32\kbdsock.dll 3072 bytes executable
File C:\WINDOWS\Temp\H8SRTb8eb.tmp 243 bytes
File C:\WINDOWS\Temp\H8SRTba71.tmp 40960 bytes executable
File C:\WINDOWS\Temp\H8SRTbcc3.tmp 27136 bytes executable
File C:\WINDOWS\Temp\H8SRTd1a3.tmp 200 bytes
File C:\WINDOWS\Temp\H8SRTd570.tmp 248 bytes
File C:\WINDOWS\Temp\H8SRTe7bc.tmp 40960 bytes executable
File C:\WINDOWS\Temp\H8SRTeaaa.tmp 27136 bytes executable

---- EOF - GMER 1.0.15 ----


Edited by Kyman73, 24 January 2010 - 09:30 PM.

  • 0

Advertisements

#2
fenzodahl512
Posted 25 January 2010 - 07:08 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#3
fenzodahl512
Posted 07 February 2010 - 12:25 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP