Trojan-cant install MWAB, Redirects Searches, Cant even get to MalwareB.org

[Squeeky]

Hello Everyone,

I was directed to post my problem here. I know I have a trojan, I believe it is AntivirusPro 2009. Problems include redirecting search engines, and not allowing me to get to the MalwareBytes.org site at all. I cannot install MWAB either, and took the advice of others and changed the names of the installer, and that would not work either.

I am definitely stuck, what a helpless feeling, this trojan is very smart.

Any advice is greatly appreciated, thank you.

[Raid]

Hello Everyone,

I was directed to post my problem here. I know I have a trojan, I believe it is AntivirusPro 2009. Problems include redirecting search engines, and not allowing me to get to the MalwareBytes.org site at all. I cannot install MWAB either, and took the advice of others and changed the names of the installer, and that would not work either.

I am definitely stuck, what a helpless feeling, this trojan is very smart.

Any advice is greatly appreciated, thank you.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here

Pre- HJT Post Instructions

first.

I also need for you to download this program

OTListIt.exe

http://oldtimer.geekstogo.com/OTListIt.exe' rel="external nofollow">

to your desktop.

• Close all applications and windows so that you have nothing open and are at your Desktop

• Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

• Place a checkmark in the
  "Scan All Users"
  checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

• Click the Run Scan button

• NOTE:
  Please be patient and let the scan run without using the computer

• When the scan is complete, a text file (
  OTListIt.Txt
  ) will open in Notepad (if not, it can be found on your Desktop)

• In Notepad, click
  Edit
  ,
  Select all
  then
  Edit
  ,
  Copy

• Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

• Submit your reply and close the Notepad window with
  OTList.txt

• Also OTListIt's
  Extras.txt
  log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

• In Notepad, click
  Edit
  ,
  Select all
  then
  Edit
  ,
  Copy

• Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

• NOTE:
  If the files (
  OTListIt.txt, Extras.txt
  ) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

[Squeeky]

Hi Dustin,

I apologize, however, my problems are obvious complicated as I was only able to complete 1 item requested, everything else failed or was simply non-responsive.

When I attempted to download Spybot, both IE and Firefox were redirected from any site that contained Spybot. Downloaded the exe file from a different (uninfected) computer and moved over by usb stick. Seemed to get about half way thru the installation, then error with "a connection with the server could not be established".

Malwarebytes was the same issue as I mentioned originally. Redirected from all recommended sites, then when I was able to move the exe file over by usb stick it was completely non-responsive, almost like it was being blocked, so no scan/results were possible.

Although I was lucky enough to not get redirected, PandaActive Scan would get about half way, then when attempting to "update" would error out. ESET was continously redirected, no luck getting anywhere near it.

OTList was the only results I was able to get for you, OTLISTIT TEXT first, then EXTRAS following below that:

[Squeeky]

Hi Dustin,

I apologize, however, my problems are obvious complicated as I was only able to complete 1 item requested, everything else failed or was simply non-responsive.

When I attempted to download Spybot, both IE and Firefox were redirected from any site that contained Spybot. Downloaded the exe file from a different (uninfected) computer and moved over by usb stick. Seemed to get about half way thru the installation, then error with "a connection with the server could not be established".

Malwarebytes was the same issue as I mentioned originally. Redirected from all recommended sites, then when I was able to move the exe file over by usb stick it was completely non-responsive, almost like it was being blocked, so no scan/results were possible.

Although I was lucky enough to not get redirected, PandaActive Scan would get about half way, then when attempting to "update" would error out. ESET was continously redirected, no luck getting anywhere near it.

OTList was the only results I was able to get for you, OTLISTIT TEXT first, then EXTRAS following below that:

OTListIt.Txt

Extras.Txt

OTListIt.Txt

Extras.Txt

[Raid]

Okay. Let me check those two logs out and I'll be in touch with more instructions i'll need you to follow.

Please keep all questions in this thread and not PM so that everyone can benefit, ok?

[Squeeky]

Dustin,

Here is the GMER log, I'll put the Hijackthis log in the next post.

Thanks!

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-11-13 07:07:06

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

Code E1BEC450 ZwEnumerateKey

Code E1BEC530 ZwFlushInstructionCache

Code F40A9EAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP E1BEC454

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP E1BEC534

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 2F, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 32, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 35, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2C, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 29, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, C6, 84 ]

.text C:\WINDOWS\Explorer.EXE[1332] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F1F0F5A

.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F220F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3A0F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F370F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 17, 5F ]

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F190F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F130F5A

.text C:\WINDOWS\Explorer.EXE[1332] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F250F5A

.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AB000A

.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00AA000A

.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AD000A

.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F070F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B5, 84 ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1424] shell32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 19, 85 ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[1460] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 84, 84 ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\PESTPA~1\PPControl.exe[1476] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 2F, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 32, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 35, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2C, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 29, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 30, 84 ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3A0F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F370F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[1484] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 69, 87 ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 3F, FC, C3, 83 ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe[1492] shell32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 52, 84 ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] user32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] advapi32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] advapi32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] shell32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[2200] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, F7, 86 ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] user32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] advapi32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] advapi32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] shell32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\Program Files\Skype\Phone\Skype.exe[2252] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 61, 85 ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe[2276] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 32, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 35, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 38, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 2F, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2C, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1E, 84 ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3D0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3A0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\wscntfy.exe[2360] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 34, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 37, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 3A, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 31, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 2E, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 4E, 84 ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F3F0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F3C0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F1F0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 1A, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F130F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F160F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F220F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F250F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F070F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2372] shell32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F280F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 51, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 54, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 57, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 4E, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 4B, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 40, 89 ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F270F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F5C0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F590F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F3D0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 38, 5F ]

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F3A0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F2C0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F2F0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F400F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F440F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F240F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F1E0F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F210F5A

.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2384] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 6 Bytes JMP 5F470F5A

.text H:\hghghg.exe[3808] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 26, 5F ]

.text H:\hghghg.exe[3808] ntdll.dll!NtOpenProcess 7C90D5E0 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] ntdll.dll!NtOpenProcess + 4 7C90D5E4 2 Bytes [ 29, 5F ]

.text H:\hghghg.exe[3808] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 2C, 5F ]

.text H:\hghghg.exe[3808] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 23, 5F ]

.text H:\hghghg.exe[3808] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 20, 5F ]

.text H:\hghghg.exe[3808] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]

.text H:\hghghg.exe[3808] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F070F5A

.text H:\hghghg.exe[3808] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]

.text H:\hghghg.exe[3808] ADVAPI32.dll!CreateServiceA 77E371E9 6 Bytes JMP 5F190F5A

.text H:\hghghg.exe[3808] ADVAPI32.dll!CreateServiceW 77E37381 6 Bytes JMP 5F1C0F5A

.text H:\hghghg.exe[3808] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5F310F5A

.text H:\hghghg.exe[3808] USER32.dll!SendMessageW 7E42929A 6 Bytes JMP 5F2E0F5A

.text H:\hghghg.exe[3808] USER32.dll!PostMessageA 7E42AAFD 6 Bytes JMP 5F160F5A

.text H:\hghghg.exe[3808] USER32.dll!SendInput 7E42F140 3 Bytes [ FF, 25, 1E ]

.text H:\hghghg.exe[3808] USER32.dll!SendInput + 4 7E42F144 2 Bytes [ 11, 5F ]

.text H:\hghghg.exe[3808] USER32.dll!SendMessageA 7E42F3C2 6 Bytes JMP 5F130F5A

.text H:\hghghg.exe[3808] USER32.dll!mouse_event 7E46673F 6 Bytes JMP 5F0A0F5A

.text H:\hghghg.exe[3808] USER32.dll!keybd_event 7E466783 6 Bytes JMP 5F0D0F5A

.text H:\hghghg.exe[3808] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 5F370F5A

.text H:\hghghg.exe[3808] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F3A0F5A

.text H:\hghghg.exe[3808] WS2_32.dll!listen 71AB8CD3 6 Bytes JMP 5F340F5A

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmqlt.sys (*** hidden *** ) F40A8000-F40BA000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:304 F40AAD66

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [sYSTEM] tdssserv <-- ROOTKIT !!!

Service C:\WINDOWS\system32\drivers\TDSSmqlt.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\tdssserv

Reg HKLM\SYSTEM\ControlSet001\Services\tdssserv@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\tdssserv@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdssserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdssserv.sys@ driver

Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdssserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdssserv.sys@ driver

Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv

Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log

Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys

Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys@ driver

Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys

Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys@ driver

Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv

Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 61

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v3001

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

---- EOF - GMER 1.0.14 ----

[Squeeky]

Dustin,

Here's the Hijackthis log.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 06:54:15, on 11/13/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dns\bin\named.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\TrojanHunter 5.0\THGuard.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\WINDOWS\system32\wuauclt.exe

H:\jjhjghj.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: twdns - Unknown owner - C:\WINDOWS\system32\dns\bin\named.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 5567 bytes

[Squeeky]

Sorry, yes will keep everything moving forward in the thread.

[Raid]

Hi Squeeky,

It's as I suspected. A rootkit.. Here are the relevant files I need:

C:\WINDOWS\system32\drivers\TDSSmqlt.sys

C:\WINDOWS\system32\drivers\TDSSserv.sys

C:\WINDOWS\system32\TDSSoiqt.dll

C:\WINDOWS\system32\TDSSlrvd.dat

C:\WINDOWS\system32\TDSShrxr.dll

C:\WINDOWS\system32\TDSSrtqp.dll

C:\WINDOWS\system32\TDSSxfum.dll

C:\WINDOWS\system32\TDSSlxwp.dll

C:\WINDOWS\system32\TDSSnmxh.log

C:\WINDOWS\system32\TDSSsihc.dll

C:\WINDOWS\system32\TDSSrhyp.log

C:\WINDOWS\system32\TDSSkkbi.log

Please download the following scanning tool. GMER

• Open the zip file and copy the file
  gmer.exe
  to your Desktop.
• Double click on
  gmer.exe
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the top right
  >>>
  tab and select the
  Files
  tab.
  
  
• Browse to this location
  C:\Program Files\Common Files\System
  and locate the file
  nruiv_xmje32.dll
  
  
• With the file highlighted click on the
  COPY
  button and copy it to your Desktop as
  nruiv_xmje32.bad
  where you can zip it up.
  
  
• Zip up the
  nruiv_xmje32.bad
  file and save it as
  gmerfilecopy.zip
  and attach it to your reply post.
  
  
• You
  MUST
  attach it as a .ZIP file to this forum:
  HJT Log Requested File Upload
  http://www.malwarebytes.org/forums/index.php?showforum=55' rel="external nofollow">
  and a link back to this post so that we can track it.
  
  
• Click OK and quit the GMER program.
  
  

Substitute the example, nruiv_xmje32 as an example for the files I have listed above.

[Squeeky]

Hi Dustin,

Quick issue with GMER. When I double click on it, it begins running on its own, runs for about 45 seconds, tells me there is indeed a rootkit, asks if I want to scan the entire computer, which I said yes.

When it is completed, and I hit the FILES tab like you requested, it does not have any files located on that particular page, just a MY COMPUTER icon and C Drive icon, both of which dont offer any browsing options, so I am having difficulties browsing for the "C:\Program Files\Common Files\System " that you requested. Only the PROCESSES tab offers any info, but not what you requested?

Am I looking in the wrong place or running the software incorrectly?

Thank You.

[Raid]

One last time, The references in my instructions are to be replaced with the locations and names of the files I listed for you. Obviously since all the files are in \windows\system32 and \windows\system32\drivers, that's where you should be looking for them.

[Squeeky]

Dustin,

In an effort to get Malwarebytes to run, I removed the hard drive from the desktop and attached by usb to a laptop, and ran malwarebyes, spybot, and several other AV programs.

When I reinstalled the hard drive and attempted to power up the unit, it wouldnt respond, then let out the largest crack/pop I have ever heard.

Needless to say, I am on hold with fixing this problem that has now become a bigger problem. Off topic, have you ever heard of a desktop making such a loud electrical pop, and if so, an guesses to what it might be?

I appreciate your help with this and hope to continue the conversation when I can determine what has gone wrong.

[Raid]

Dustin,

In an effort to get Malwarebytes to run, I removed the hard drive from the desktop and attached by usb to a laptop, and ran malwarebyes, spybot, and several other AV programs.

When I reinstalled the hard drive and attempted to power up the unit, it wouldnt respond, then let out the largest crack/pop I have ever heard.

Needless to say, I am on hold with fixing this problem that has now become a bigger problem. Off topic, have you ever heard of a desktop making such a loud electrical pop, and if so, an guesses to what it might be?

I appreciate your help with this and hope to continue the conversation when I can determine what has gone wrong.

Did you improperly install the power cable back into the drive? Is the PC still willing to power up? I've heard of this happening for various reasons. and usually, something hardware wise has died a horrible death. Is it possible you forced the drive power pins in backwards? I've actually seen an individual pull that off.

If the drive circuitry was laying down on the case just right, it's possible you may have shorted it out.

If you manage to get the hard drive back in your desktop, let me know. I have a much less invasive trick I'd like for you to try to get mbam up and going. Then we can murder that pesky rootkit causing you so much headache.