Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Last known good config used,malware issues

Started by arclight , Apr 26 2011 07:06 AM

  • This topic is locked This topic is locked

#76
Render
Posted 24 May 2011 - 02:32 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, arclight

On the Windows Update site, select your history of updates – now click on failed update (red mark) and see if there is an error code. If there is an error code, write it down and post it back here.
  • 0

Advertisements

#77
arclight
Posted 26 May 2011 - 03:56 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
Got all the windows security updates installed ok

However i have got malware again-this time xp security centre

here is an mbam scan-i done one 2 hours ago which found nothing and then ran one a few minutes ago

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6686

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

26/05/2011 22:44:03
mbam-log-2011-05-26 (22-44-03).txt

Scan type: Quick scan
Objects scanned: 175125
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\documents and settings\user\application data\dwm.exe (Trojan.Downloader) -> 1272 -> Unloaded process successfully.
c:\documents and settings\user\application data\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> 1408 -> Unloaded process successfully.
c:\documents and settings\user\local settings\application data\mwv.exe (Trojan.FakeAlert) -> 1684 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Cycbot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Cycbot.Gen) -> Bad: (C:\DOCUME~1\user\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\mwv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\mwv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\mwv.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\user\application data\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Documents and Settings\user\Local Settings\temp\csrss.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\local settings\application data\mwv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\user\local settings\temp\0.2426014038373283.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\local settings\temp\0.7195831096024854.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.


As well as that i also done a full rootkitunhooker scan

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtClose, Type: Address change 0x80567AED-->F8A8A514 [sbhr.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8057376F-->F8D1AE6E [Unknown module filename]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x80578803-->F8D1AE64 [Unknown module filename]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80597FFA-->F8D1AE73 [Unknown module filename]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80595C1A-->F8D1AE7D [Unknown module filename]
ntoskrnl.exe-->NtLoadKey, Type: Address change 0x805AF5C3-->F8D1AE82 [Unknown module filename]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80568F68-->F8A8A4D0 [sbhr.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80574AA9-->F8D1AE50 [Unknown module filename]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8059323B-->F8D1AE55 [Unknown module filename]
ntoskrnl.exe-->NtReplaceKey, Type: Address change 0x8064FE82-->F8D1AE8C [Unknown module filename]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064FA19-->F8D1AE87 [Unknown module filename]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x8057BC5B-->F8D1AE78 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805839B9-->F8D1AE5F [Unknown module filename]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x82FCAB98 [4] System
0x829A8650 [120] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App)
0x82D0D168 [416] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x82D20020 [480] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x82C4BD78 [516] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x82975560 [560] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x82D0F168 [580] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x82EA7990 [656] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x8287ADA0 [752] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82C9ADA0 [800] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82868360 [868] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82CD7DA0 [924] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x828D5560 [1036] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82956920 [1164] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x828ED460 [1184] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x828C9928 [1232] C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH, Antivirus Scheduler)
0x82905BC0 [1296] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82C5F308 [1344] C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH, Antivirus On-Access Service)
0x82EA88D0 [1380] C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc., SiteAdvisor)
0x82C54800 [1404] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x82C7F318 [1408] C:\WINDOWS\system32\taskmgr.exe (Microsoft Corporation, Windows TaskManager)
0x82EA1DA0 [1476] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8294C2C8 [1908] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x82873530 [2232] C:\Documents and Settings\user\Local Settings\Application Data\mwv.exe
0x82C965B8 [2516] C:\Documents and Settings\user\Desktop\aswMBR-2.EXE (UG North, RKULE, SR2 Normandy)
0x828C6CD0 [2980] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
0x8290B328 [3336] C:\Documents and Settings\user\Application Data\dwm.exe (-, -)
0x829AF260 [3532] C:\WINDOWS\system32\msiexec.exe (Microsoft Corporation, Windows® installer)
0x82BB4BD0 [3660] C:\DOCUME~1\user\LOCALS~1\temp\csrss.exe (-, -)
0x82901B00 [3732] C:\Documents and Settings\user\Application Data\Microsoft\conhost.exe (-, -)
==============================================
>Drivers
==============================================
0xF7462000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 4345856 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF78CE000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 4124672 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xBF17C000 C:\WINDOWS\System32\ati3duag.dll 3178496 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF484000 C:\WINDOWS\System32\ativvaxx.dll 1765376 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF8509000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF05F000 C:\WINDOWS\System32\ati2cqag.dll 520192 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF0DE000 C:\WINDOWS\System32\atikvmag.dll 458752 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xAA665000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7371000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAA772000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA97C2000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 315392 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF633000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA91A6000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF8627000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xBF14E000 C:\WINDOWS\System32\atiok3x2.dll 188416 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xA9932000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF84DC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8E8E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAA6FD000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA74A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAA63F000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA8E42000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF78AA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7CBD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7887000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA728000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF85BF000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF85F7000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xAA623000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 114688 bytes (Avira GmbH, Avira Driver for RootKit Detection)
0xF84C2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF85DF000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA60B000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8596000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7423000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA943D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA9BB7000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)
0xF743A000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF744E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA7CB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF85AD000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8616000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7412000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8896000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8746000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8766000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8726000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8756000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA9A1F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF87D6000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF86B6000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8776000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8786000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8696000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF87A6000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA90B9000 C:\DOCUME~1\user\LOCALS~1\Temp\aswMBR.sys 45056 bytes
0xF8836000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8736000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8686000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8796000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8716000 C:\WINDOWS\system32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF8676000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF87E6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF87C6000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF86A6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF87B6000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8826000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA937A000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF8846000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8926000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8A1E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF8A2E000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF88F6000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8936000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8A46000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8A3E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8A36000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF8A26000 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)
0xF892E000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF8A7E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8A6E000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF891E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF88FE000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8A5E000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8A66000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF8A4E000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8A16000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF8956000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF83E0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9BCB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8B6E000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8A86000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7369000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8B72000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF83F0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8B12000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A8A000 sbhr.sys 12288 bytes (-, Sunbelt CounterSpy AP Driver)
0xF8BB6000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF8BAE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8BC0000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8BAC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8B76000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8BB0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B94000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8BB2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8BA8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8BAA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8B78000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C5D000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8D46000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8DB5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8C3E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x824F2AD4 Unknown page with executable code, 1324 bytes
0x824EE504 Unknown page with executable code, 2812 bytes
0x824ED0C6 Unknown page with executable code, 3898 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7B4, Type: Inline - RelativeJump 0x804E27B4-->804E2768 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7BC, Type: Inline - RelativeJump 0x804E27BC-->804E2770 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA94, Type: Inline - RelativeJump 0x804E2A94-->804E2A48 [ntoskrnl.exe]
[1164]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1164]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1164]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1164]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1164]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1164]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1164]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2232]mwv.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x005F0000-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x005F0004-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegDeleteKeyA, Type: IAT modification 0x005F0020-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegDeleteValueA, Type: IAT modification 0x005F001C-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegEnumKeyExA, Type: IAT modification 0x005F0018-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x005F0014-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x005F0010-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegQueryInfoKeyA, Type: IAT modification 0x005F000C-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x005F0024-->00000000 [unknown_code_page]
[2232]mwv.exe-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x005F0008-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->AddAtomA, Type: IAT modification 0x005F0114-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x005F0110-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->CreateEventA, Type: IAT modification 0x005F010C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->CreateThread, Type: IAT modification 0x005F0108-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x005F0100-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->FindResourceA, Type: IAT modification 0x005F00FC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->FormatMessageA, Type: IAT modification 0x005F00F8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x005F0090-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetACP, Type: IAT modification 0x005F002C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetCommandLineW, Type: IAT modification 0x005F0030-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification 0x005F0034-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification 0x005F0038-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x005F003C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetFileAttributesW, Type: IAT modification 0x005F0040-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetLocaleInfoA, Type: IAT modification 0x005F0048-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x005F004C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x005F0050-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x005F0054-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetModuleHandleW, Type: IAT modification 0x005F0058-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x005F005C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification 0x005F0060-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetSystemDirectoryW, Type: IAT modification 0x005F0064-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification 0x005F0068-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetThreadLocale, Type: IAT modification 0x005F006C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetTickCount, Type: IAT modification 0x005F0070-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetVersion, Type: IAT modification 0x005F0074-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x005F0078-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x005F007C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->InterlockedDecrement, Type: IAT modification 0x005F0080-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->InterlockedExchange, Type: IAT modification 0x005F0084-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->InterlockedIncrement, Type: IAT modification 0x005F0088-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->IsDBCSLeadByte, Type: IAT modification 0x005F008C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x005F0118-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x005F0094-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x005F0098-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x005F009C-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LoadResource, Type: IAT modification 0x005F00A0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LocalAlloc, Type: IAT modification 0x005F00A4-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x005F00A8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->lstrcmpiA, Type: IAT modification 0x005F00E8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->lstrcpynA, Type: IAT modification 0x005F00EC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->lstrlenA, Type: IAT modification 0x005F00F0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->lstrlenW, Type: IAT modification 0x005F00F4-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification 0x005F00AC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->OutputDebugStringA, Type: IAT modification 0x005F00B0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->QueryPerformanceCounter, Type: IAT modification 0x005F00B4-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->RaiseException, Type: IAT modification 0x005F00B8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x005F00BC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->SetEvent, Type: IAT modification 0x005F00C0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x005F00C8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->SizeofResource, Type: IAT modification 0x005F00CC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x005F00D0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->TerminateProcess, Type: IAT modification 0x005F00D4-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x005F00D8-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x005F00DC-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->WaitForSingleObject, Type: IAT modification 0x005F00E0-->00000000 [unknown_code_page]
[2232]mwv.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x005F00E4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->BeginPaint, Type: IAT modification 0x005F01FC-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->CharNextA, Type: IAT modification 0x005F01F8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->DestroyIcon, Type: IAT modification 0x005F0200-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->DestroyWindow, Type: IAT modification 0x005F01F4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->DispatchMessageA, Type: IAT modification 0x005F01F0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->EnableWindow, Type: IAT modification 0x005F01EC-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->EndPaint, Type: IAT modification 0x005F01E8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->FillRect, Type: IAT modification 0x005F01E4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetActiveWindow, Type: IAT modification 0x005F01E0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetAsyncKeyState, Type: IAT modification 0x005F01DC-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetClassNameA, Type: IAT modification 0x005F01D8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetClientRect, Type: IAT modification 0x005F01D4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetCursorPos, Type: IAT modification 0x005F01D0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetFocus, Type: IAT modification 0x005F01CC-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetMessageA, Type: IAT modification 0x005F01C8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetMessageW, Type: IAT modification 0x005F01C4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetParent, Type: IAT modification 0x005F01C0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetSystemMetrics, Type: IAT modification 0x005F0140-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetWindowLongA, Type: IAT modification 0x005F0144-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification 0x005F0148-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->GetWindowRect, Type: IAT modification 0x005F014C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->IsIconic, Type: IAT modification 0x005F0150-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->IsWindow, Type: IAT modification 0x005F0154-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->KillTimer, Type: IAT modification 0x005F0158-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->LoadAcceleratorsA, Type: IAT modification 0x005F015C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->LoadCursorA, Type: IAT modification 0x005F0160-->00000000 [msctf.dll]
[2232]mwv.exe-->user32.dll-->LoadIconA, Type: IAT modification 0x005F0164-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->MessageBeep, Type: IAT modification 0x005F0168-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->MessageBoxA, Type: IAT modification 0x005F016C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->MessageBoxW, Type: IAT modification 0x005F0170-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->MoveWindow, Type: IAT modification 0x005F0174-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->OffsetRect, Type: IAT modification 0x005F0178-->00000000 [msctf.dll]
[2232]mwv.exe-->user32.dll-->PeekMessageA, Type: IAT modification 0x005F017C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->PostQuitMessage, Type: IAT modification 0x005F0180-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->PostThreadMessageA, Type: IAT modification 0x005F0184-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->RegisterWindowMessageA, Type: IAT modification 0x005F0188-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SendMessageA, Type: IAT modification 0x005F018C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetCursor, Type: IAT modification 0x005F0190-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetFocus, Type: IAT modification 0x005F0194-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetRect, Type: IAT modification 0x005F0198-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetTimer, Type: IAT modification 0x005F019C-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetWindowLongA, Type: IAT modification 0x005F01A0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SetWindowPos, Type: IAT modification 0x005F01A4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->ShowWindow, Type: IAT modification 0x005F01A8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->SystemParametersInfoA, Type: IAT modification 0x005F01AC-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->TranslateAcceleratorA, Type: IAT modification 0x005F01B0-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x005F01B4-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->UpdateWindow, Type: IAT modification 0x005F01B8-->00000000 [unknown_code_page]
[2232]mwv.exe-->user32.dll-->WaitMessage, Type: IAT modification 0x005F01BC-->00000000 [unknown_code_page]
[2980]firefox.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C8197B1-->00000000 [kernel32.dll]
[2980]firefox.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - PushRet 0x7C8197B5-->00000000 [kernel32.dll]
[2980]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->00000000 [firefox.exe]
[2980]firefox.exe-->ws2_32.dll-->closesocket, Type: Inline - PushRet 0x71AB3E2B-->00000000 [unknown_code_page]
[2980]firefox.exe-->ws2_32.dll-->recv, Type: Inline - PushRet 0x71AB676F-->00000000 [unknown_code_page]
[2980]firefox.exe-->ws2_32.dll-->send, Type: Inline - PushRet 0x71AB4C27-->00000000 [unknown_code_page]
[2980]firefox.exe-->ws2_32.dll-->WSAGetOverlappedResult, Type: Inline - PushRet 0x71AC0D1B-->00000000 [unknown_code_page]
[2980]firefox.exe-->ws2_32.dll-->WSARecv, Type: Inline - PushRet 0x71AB4CB5-->00000000 [unknown_code_page]
[2980]firefox.exe-->ws2_32.dll-->WSASend, Type: Inline - PushRet 0x71AB68FA-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x0041C020-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0041C050-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->EnumResourceTypesW, Type: IAT modification 0x0041C040-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification 0x0041C024-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x0041C02C-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x0041C054-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041C038-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetShortPathNameW, Type: IAT modification 0x0041C01C-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x0041C05C-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x0041C018-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->IsDebuggerPresent, Type: IAT modification 0x0041C03C-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041C04C-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x0041C044-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->SetHandleInformation, Type: IAT modification 0x0041C030-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041C048-->00000000 [unknown_code_page]
[3336]dwm.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x0041C058-->00000000 [unknown_code_page]
[3336]dwm.exe-->user32.dll-->wsprintfA, Type: IAT modification 0x0041C000-->00000000 [unknown_code_page]
[3336]dwm.exe-->user32.dll-->wsprintfW, Type: IAT modification 0x0041C004-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x0041C054-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0041C050-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->EnumResourceTypesW, Type: IAT modification 0x0041C03C-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification 0x0041C040-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x0041C02C-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x0041C030-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041C04C-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetShortPathNameW, Type: IAT modification 0x0041C01C-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x0041C05C-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x0041C038-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->IsDebuggerPresent, Type: IAT modification 0x0041C024-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041C020-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x0041C034-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->SetHandleInformation, Type: IAT modification 0x0041C028-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041C044-->00000000 [unknown_code_page]
[3660]csrss.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x0041C048-->00000000 [unknown_code_page]
[3660]csrss.exe-->user32.dll-->wsprintfA, Type: IAT modification 0x0041C000-->00000000 [unknown_code_page]
[3660]csrss.exe-->user32.dll-->wsprintfW, Type: IAT modification 0x0041C004-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x0041A030-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0041A014-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->EnumResourceTypesW, Type: IAT modification 0x0041A034-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification 0x0041A040-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x0041A028-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x0041A020-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041A044-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetShortPathNameW, Type: IAT modification 0x0041A00C-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x0041A050-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x0041A01C-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->IsDebuggerPresent, Type: IAT modification 0x0041A018-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041A010-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x0041A04C-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->SetHandleInformation, Type: IAT modification 0x0041A024-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041A03C-->00000000 [unknown_code_page]
[3732]conhost.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x0041A038-->00000000 [unknown_code_page]
[3732]conhost.exe-->user32.dll-->wsprintfA, Type: IAT modification 0x0041A000-->00000000 [unknown_code_page]
[3732]conhost.exe-->user32.dll-->wsprintfW, Type: IAT modification 0x0041A004-->00000000 [unknown_code_page]
  • 0

#78
Render
Posted 26 May 2011 - 04:21 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

I would recommend you to backup your valuable data, format all partitions and then reinstall OS.
  • 0

#79
arclight
Posted 29 May 2011 - 02:51 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I may need to do that. ATM though i havn't the time although when i am off in the summer

i may reinstall the OS then.

The PC seems ok now. Malwerebytes found and deleted some items as did the new version of the Kaspersky free antivirus tool.

TDSkiller, askmbr both came up clean. I havn't seen anything unusual since Thursday and the PC is running ok.
  • 0

#80
Render
Posted 29 May 2011 - 03:30 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

OK. But one of infections was backdoor trojan. Before that infection your system looked clean. Maybe you know what was source of infection? Maybe some removable storage drive?

Please do this:

On your working computer go here and create Avira rescue CD

  • Boot your infected computer from that CD
  • For Boot Options choose 1 (Boot AntiVir Rescue System (default))
  • In Virus scanner tab click on Start scanner
  • When the scan is finished save the scan report and post it in your next reply
  • Eject and remove Avira Rescue CD
  • Restart your system in Windows

To set your computer BIOS to boot from a CD

  • Restart your computer. Watch the start-up instructions that are displayed on-screen.
  • A message will be displayed instructing you to press a named key (often F2, F12, or Delete) to go into settings/setup/configuration. (The key and the message will vary according to the type of computer that you are running.)
  • Press this key to enter the BIOS setup mode.
  • (If your computer is particularly fast, it may remove the message before you have the chance to press the key; in this case, try pressing the key once a second, starting the moment you reboot.)

Some examples:

  • On a Dell computer, you should hit F2 to enter the BIOS.
  • Other computers may require you to hit the DEL (Delete) button to enter the BIOS.
  • On newer computers, you may be able to hit F12 to select a temporary boot device rather than changing the permanent boot sequence in the BIOS itself. If your computer offers this option, simply select the CD or DVD drive containing the antivirus CD as your temporary boot device, and skip steps 2 and 3.


  • In the BIOS window, find the area that controls the boot sequence and rearrange the list of devices so that your CD or DVD drive is checked before your hard drive.
  • For most situations, a suitable sequence is:

  • CDROM (or DVDROM)
  • HD1 (or C).


  • If your drives are listed in this order, then when you keep the CD in your CD or DVD drive during a reboot, your computer will be told to run and check for viruses on your system. (If the hard drive is listed earlier than the CD drive, your computer will not detect the CDs presence and will simply boot into Windows.)
  • Save the settings and exit.
  • When your computer reboots, it will check the CD or DVD drive containing the disk before it checks the hard drive. You may press any key on your keyboard to boot from CD.

  • 0

#81
arclight
Posted 29 May 2011 - 03:58 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I do use a removable storage drive

Its basically to store files on that could get lost if i need to reinstall windows which happened before.

I scanned it with the Kaspersky and nothing was found on it,just on the C drive in the system volume information.

Autoscan: completed 2 hours ago (events: 6, objects: 577152, time: 05:43:04)
29/05/2011 15:01:15 Task started
29/05/2011 17:13:11 Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP30\A0008353.exe
29/05/2011 18:01:56 Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP30\A0008354.exe
29/05/2011 18:02:00 Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP30\A0008367.exe
29/05/2011 18:02:00 Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP30\A0008369.exe
29/05/2011 20:44:21 Task completed

I 'll follow your guide on the avira rescue cd and post when i'm done in the next day or two.

Edited by arclight, 29 May 2011 - 04:00 PM.

  • 0

#82
Render
Posted 29 May 2011 - 04:02 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. But before that please do the following:

Reset System Restore points:

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :Commands
    [ClearAllRestorePoints]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.

  • 0

#83
arclight
Posted 01 June 2011 - 07:03 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I have a quick question about rootkitunhooker

I ran it again and nothing came up under stealth

I also did a hidden file scan on my removable storage drive and it came up clean

It does picks up some hooks but i'm unsure if these are serious

Should i just leave it for now or would you like some logs posted/ I thought i'd ask to make sure
  • 0

#84
Render
Posted 01 June 2011 - 07:30 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
No need for posting those logs. I think that your system is clean. I just want to make sure that I'm right and I want to do it from external environment.
  • 0

#85
arclight
Posted 04 June 2011 - 10:18 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
The only clean computer i have access to atm is the macbook which the avira exe will not run on.

I'll have to create the disc at work so it will be Monday or Tuesday before i post the scan results.
  • 0

Advertisements

#86
Render
Posted 05 June 2011 - 05:40 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. I will wait for results.
  • 0

#87
arclight
Posted 08 June 2011 - 05:33 AM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I tried the disc but it froze when booting up at 60%

It booted from the CD ok and i selected Avira rescue (default) then a blue screen came loading items and it stopped at 60%

I'm going to a neighbour's house today and will be trying the disc on his PC. I'll also make a fresh one when i'm there and try running the rescue disc tonight again on my own PCv and post later about the results

Edited by arclight, 08 June 2011 - 05:34 AM.

  • 0

#88
Render
Posted 08 June 2011 - 05:38 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK.
  • 0

#89
arclight
Posted 09 June 2011 - 06:22 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
The Avira rescue disc booted ok on my neighbors PC

I tried it again on mine but it wouldn't boot. Haven't had any malware/virus issues though

I ran spy-bot and it found and deleted a few items but the PC is running ok even though Avira rescue disc didn't boot up.
  • 0

#90
Render
Posted 10 June 2011 - 09:24 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Avira rescue has sometimes problems with some hardware. So nothing alarming here. After reviewing your logs once again I would say that your system is clean. Are you experiencing any problems?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP