Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Found Hacktool Rootkit.d after Panda Scan

Started by Sumita , Feb 10 2007 04:06 PM

  • This topic is locked This topic is locked

#1
Sumita
Posted 10 February 2007 - 04:06 PM

Sumita

    Member

  • Member
  • PipPip
  • 39 posts
:whistling: Hi

I thought I had already posted at around 10 am this morning but couldn't find the post. After doing a Panda Scan Hacktool Rootkit.d and Spyware New.Net were found on my PC. I have run other anti virus systems such as spybot, Ewido etc, but none of them picked this up. I even looked at the infected folders but couldn't see anything, so I really don't understand what's going on here. Please could you tell me if my system is infected and if it is what I need to do to get rid of it?
Below are the panda scan and hijack this log files.

PANDA SCAN 9 FEB
Incident Status Location

Hacktool:hacktool/rootkit.d Not disinfected hkey_local_machine\system\controlset001\enum\root\LEGACY_AVPU32
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Admin\My Documents\SEBASTIAN\WarezP2P_DLC.exe[NNWARZ3_88.exe]
HIJACK THIS 10 FEB
Logfile of HijackThis v1.99.1
Scan saved at 10:10:01, on 10/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Downloads\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 164.12.153.148:8080
R3 - URLSearchHook: (no name) - {B6325E3C-A83C-4F12-990D-7AB3AAAA3E87} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: XBTBPos00 Class - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Downloads\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoe...ggPublisher.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


HIJACK THIS UNISTALL LOG
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
Adobe® Photoshop® Album Starter Edition 3.0
ASUS Probe V2.23.04
Canon Digital Camera USB Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 1.3
Canon Utilities ZoomBrowser EX
CoreVorbis Audio Decoder (remove only)
ewido anti-malware
Fish Tycoon (remove only)
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_06
Kerio Personal Firewall
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Nero 6 Ultra Edition
NoAdware v4.0
Norton AntiVirus Corporate Edition
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Windows 2000/XP nForce Drivers
Panda ActiveScan
RollerCoaster Tycoon 3
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SP2 Connection Patcher
SP2 Connection Patcher
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Uninstall Malware Scanner
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
WIDCOMM Bluetooth Software
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
XoftSpy
Yahoo! Anti-Spy
Yahoo! Install Manager
Yahoo! Toolbar

Many thanks
Sumita
  • 0

Advertisements

#2
Noviciate
Posted 11 February 2007 - 11:26 AM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
For the malicious file, just delete it - C:\Documents and Settings\Admin\My Documents\SEBASTIAN\WarezP2P_DLC.exe
The registry entry is probably just a leftover, but we'll take a nose around and see what shows up.

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Double click gmer.exe to begin:
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked,
    EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately. Please preview your posts to ensure that all of both logs get posted.

1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable.

3) Go to Start > Run, copy and paste the following into the text box and hit OK:
"%userprofile%\desktop\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click Next >.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved onto your Desktop - copy and paste this into your next reply.

  • 0

#3
Sumita
Posted 12 February 2007 - 01:27 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Hi

Thankyou so much for replying. I was really worried after the panda scan, particularly as I couldn't find the rootkit file anywhere. I have scanned with GMER and Blacklight and the logs are below:

GMER
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-12 18:54:02
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT SSI.SYS ZwRenameKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT SSI.SYS ZwSetInformationKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile

---- Kernel code sections - GMER 1.0.12 ----

PAGENDSM NDIS.SYS!NdisMIndicateStatus F73B7A5F 6 Bytes [ FF, 25, E8, 5B, 9B, ED ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\NavNT\defwatch.exe[228] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\NavNT\defwatch.exe[228] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\NavNT\defwatch.exe[228] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00030004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0003011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0003057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0003034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00030464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00030608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00030838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00030950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00030720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00030DB0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00030F54
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00030D24
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00030E3C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00030FE0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[376] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00030EC8
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[396] KERNEL32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[396] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[396] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00160720
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[400] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[420] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[420] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[420] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[420] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[420] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[420] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[420] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00070EC8
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\NavNT\rtvscan.exe[452] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\NavNT\rtvscan.exe[452] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[600] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[600] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[600] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[612] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[612] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[764] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[764] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[764] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[764] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[764] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\nvsvc32.exe[892] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\nvsvc32.exe[892] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\nvsvc32.exe[892] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[912] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1016] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1016] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1032] ker
  • 0

#4
Noviciate
Posted 12 February 2007 - 01:32 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I see only part of the first GMER log, none of the second, or the Blacklight scan.
  • 0

#5
Sumita
Posted 14 February 2007 - 01:35 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Oh! that's strange. I did do a preview before I posted and it was all there. Nevermind, I have posted the rest of the GMER & Blacklight logs below, hope you can see it? Thanks Sumita

GMER
text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\NavNT\rtvscan.exe[452] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\NavNT\rtvscan.exe[452] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\NavNT\rtvscan.exe[452] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\NavNT\rtvscan.exe[452] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[512] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualProtectEx

GMER Autostart
GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-12 18:56:36
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll
WgaLogon@DLLName = WgaLogon.dll
WRNotifier@DLLName = WRLogonNTF.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = NVDESK32.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
btwdins /*Bluetooth Service*/@ = C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
DefWatch /*DefWatch*/@ = "C:\Program Files\NavNT\defwatch.exe"
KPF4 /*Kerio Personal Firewall 4*/@ = "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
Norton AntiVirus Server /*Norton AntiVirus Client*/@ = "C:\Program Files\NavNT\rtvscan.exe"
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\system32\nvsvc32.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
svcWRSSSDK /*Webroot Spy Sweeper Engine*/@ = C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@vptrayC:\Program Files\NavNT\vptray.exe = C:\Program Files\NavNT\vptray.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@SpySweeper"C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray /*file not found*/ = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray /*file not found*/
@Adobe Photo Downloader"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@CaISSDT"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" = "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
@eTrustPPAP"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
@SP2 Connection Patcher"C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200 = "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Skype"C:\Downloads\Phone\Skype.exe" /nosplash /minimized = "C:\Downloads\Phone\Skype.exe" /nosplash /minimized
@SUPERAntiSpywareC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Program Files\SUPERAntiSpyware\SASSEH.DLL = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} /*Webroot Spy Sweeper Context Menu Integration*/C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll /*file not found*/ = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll /*file not found*/

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
SpySweeper@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll /*file not found*/
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll = C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\ANTI-V~1\Spybot\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\ANTI-V~1\Spybot\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
@{9394EDE7-C8B5-483E-8773-474BF36AF6E4}C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll = C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
@{E552EEFC-DE97-45D4-BA1A-F534A1B4A579}C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL /*file not found*/ = C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL /*file not found*/

HKCU\Control Panel\[email protected] = C:\WINDOWS\system32\ssmypics.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.wanadoo.co.uk/ = http://www.wanadoo.co.uk/
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft...p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://uk.yahoo.com/ = http://uk.yahoo.com/
@Local Page\blank.htm = \blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
BTTray.lnk = BTTray.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.12 ----

Blacklight
02/12/07 19:03:46 [Info]: BlackLight Engine 1.0.55 initialized
02/12/07 19:03:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/12/07 19:03:46 [Note]: 7019 4
02/12/07 19:03:46 [Note]: 7005 0
02/12/07 19:04:08 [Note]: 7006 0
02/12/07 19:04:08 [Note]: 7022 0
02/12/07 19:04:08 [Note]: 7011 1592
02/12/07 19:04:08 [Note]: 7026 0
02/12/07 19:04:08 [Note]: 7026 0
02/12/07 19:04:14 [Note]: FSRAW library version 1.7.1021
02/12/07 19:09:27 [Note]: 7007 0
  • 0

#6
Noviciate
Posted 14 February 2007 - 03:21 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Open Notepad (Start > All Programs > Accessories > Notepad) and copy and paste the following into it -

regedit /e c:\peek1.txt "HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\LEGACY_AVPU32"
start notepad c:\peek1.txt

Save it to your Destop with the following name, including quotation marks - "peek.bat"
Double click it and a Notepad window should open with some text in - copy and paste this into your next reply.
* A copy of the text will be saved to C:\peek1.txt.
  • 0

#7
Sumita
Posted 15 February 2007 - 02:39 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Hi

I've pasted the log below:

Peek.Bat
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\LEGACY_AVPU32]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\LEGACY_AVPU32\0000]
"Service"="avpu32"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="TCPIP Kernel32"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\LEGACY_AVPU32\0000\LogConf]
  • 0

#8
Noviciate
Posted 15 February 2007 - 03:08 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Download regsearch.zip by Bobby Flekman from here and save it to your Desktop.
You will then need to unzip it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see the contents of the regsearch folder.
Double-click regsearch.exe to begin.
Copy and paste the following into the top box and then click OK:

AVPU

When the tool has finished, a Notepad window will open with the results in. When you close it, a copy will be saved as RegSearch.txt in the regsearch folder - copy and paste this into your next reply.


1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable.

3) Go to Start > Run, copy and paste the following into the text box and hit OK:
"%userprofile%\desktop\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click Next >.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved onto your Desktop - copy and paste this into your next reply.

  • 0

#9
Sumita
Posted 17 February 2007 - 04:18 AM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Thankyou, I have run the programs you suggested and pasted the logs below:

Regsearch
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 17/02/2007 09:49:45 for strings:
; 'avpu
avpu
avpu
avpu'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Blacklight
02/17/07 09:57:42 [Info]: BlackLight Engine 1.0.55 initialized
02/17/07 09:57:42 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/17/07 09:57:42 [Note]: 7019 4
02/17/07 09:57:42 [Note]: 7005 0
02/17/07 09:57:53 [Note]: 7006 0
02/17/07 09:57:53 [Note]: 7011 356
02/17/07 09:57:53 [Note]: 7026 0
02/17/07 09:57:53 [Note]: 7026 0
02/17/07 09:57:59 [Note]: FSRAW library version 1.7.1021
02/17/07 10:08:19 [Note]: 7007 0
  • 0

#10
Noviciate
Posted 17 February 2007 - 05:16 AM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Definitely looks like it's just a leftover and should be easy to remove -

1) Create a Restore Point - this is standard procedure before making any registry changes.
A tutorial for System Restore is available here.

2) Copy the contents of the following box into Notepad. (Start > All Programs > Accessories > Notepad)
Make sure that you have no blank lines at the beginning, and one blank line at the end:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\LEGACY_AVPU32]

Save it to your Desktop with the following properties:
File Name: Regfix.reg
File Type: All Files

3) Locate Regfix.reg on your Desktop and double click it.
Click on Yes in the confirmation window.

If the PC misbehaves after this step, you can use System Restore to turn back the clock to just before you ran the regfix.
Run another Panda scan and let me know if all is now well.
  • 0

Advertisements

#11
Sumita
Posted 20 February 2007 - 03:31 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi

I did the regfix, which seemed to work fine, the only thing is that when I ran the panda scan it found exactly the same problem again. It's only the panda scan which picks this up and to be honest I have looked in the registry and can't find hacktool and I have also uninstalled warez so I don't see how it can keep picking this up? Could something be wrong with the panda scan because on the malware forum about a week and half ago I noticed that someone else had exactly the same problem as I did, where the panda scan picked up hacktool. They had just posted and at that point hadn't had any replies.

Anyway, I have posted the panda log below:

Incident Status Location

Hacktool:hacktool/rootkit.d Not disinfected hkey_local_machine\system\controlset001\enum\root\LEGACY_AVPU32
Spyware:Spyware/New.net Not disinfected
C:\Documents and Settings\Admin\My Documents\SEBASTIAN\WarezP2P_DLC.exe[NNWARZ3_88.exe]
Many thanks
Sumita
  • 0

#12
Noviciate
Posted 20 February 2007 - 03:55 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I hate it when this sort of thing happens! It could be a false-positive, or it could be something else - I think that about covers every possibility, so there's no chance of me being wrong!

As you are happy digging in the registry, (and you wouldn't be in there if you weren't, would you!), i'd like you to try a little something. Be careful what you do though, as things can go bad if you're careless.

Download Icesword from here and save it to your Desktop - It's a zip file so you'll need to extract the contents once it has arrived.

This is a rootkit detection tool and its method of operation may mean that it can detect the registry entry if it is being hidden.
The nature of rootkits however, means that if you can't find it, it might just be hidden too well, or it might not be there in the first place - nothing like a bit of uncertainty to make your evening, is there!

Open the folder and double click Icesword.exe to fire the tool up. At the bottom left is a button marked Registry - click that.
Navigate to the hkey_local_machine\system\controlset001\enum\root key and see if you can locate LEGACY_AVPU32.
If it shows up, you have a hidden nasty on your PC and we'll need to do some work.

Create a Restore Point before you go into the registry, just in case!
Let me know how you get on.
  • 0

#13
Sumita
Posted 21 February 2007 - 01:13 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Err, 'comfortable' isn't quite the word I would use going into the registry! That's just it, I go into the registry and take a look to see if I can see anything. I have gone in under guidance and removed, I think it was new.dot or something, but it kept coming back so I had to switch of system restore and go in 'safe mode' to remove it. That was a while ago and to be honest I would hardly count myself as the most technically of able people! Anyway, I'm desperate so I'll give it go and will definitely create a restore point before I go in!

Will be back to you soon, I hope....

Sumita x
  • 0

#14
Sumita
Posted 22 February 2007 - 03:39 PM

Sumita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:whistling: Hi

Yes, unfortunately it was there! AVPU 32. I have attached a screen print as I wasn't sure what else to do...

Thanks
Sumita

Attached Files


  • 0

#15
Noviciate
Posted 22 February 2007 - 04:19 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
The screenshot is good.

Download haxfix.exe by Marckie from here and save it to your Desktop.
  • Doubleclick the file to begin the installation (which by default will be to the C:\Program Files\Haxfix folder).
  • When the option appears, place a checkmark next to "Create a desktop icon".
  • Once the tool has finished installing, ensure that the "Launch Haxfix" option is checked and click Finish.
  • When the red Command Window appears, click "any key" to continue, and then select option 1 -"Make logfile".
  • Once the scan has completed, a Notepad file entitled haxlog.txt will open - a copy of this will be saved to C:\haxlog.txt
  • You can now exit Haxfix.
Let me have a copy of the Haxfix log and we'll take it from there.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP