CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[DONE]rootkit infection? - scan logs attached

 
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
isthatso

Cadet
Cadet
Premium Member

Joined: Jan 16, 2008
Posts: 2
Location: USA
Premium

PostPosted: Sun Jan 20, 2008 6:45 pm    Post subject: rootkit infection? - scan logs attached
Reply with quote

Hi,

What great public service you all offer! I was so impressed I joined up. Besides, I need help!

I’m comfortable with PC’s but not a power user. I have a Dell Latitude D510, Pentium M processor @1.73 GHz and 1 GB RAM, running WinXP Pro. For the first time in 10 years of computing I’ve acquired an infestation of various cockroaches, silverfish and millipedes. Sad

In Nov. 2007 Trend Micro PC-Cillin’s system scan found “Possible HPGN-1” in c:\windows\system32\wmdmpmsn.exe. This file is used in windows portable media serial number service. I used msconfig to disable the service. A few weeks later the TM scan found the same possible (Trojan?). TM was unable to quarantine the file.

In the past week more malware has been popping up. TM system scan finds only “Possible HPGN-1.”

TM realtime scan detects (1) a virus: c:\documents and settings\local service\local settings\temporary internet files\content.IE5\*.*\Back[1].exe. (2) suspicious software: c:\windows\system32\ndt2.sys. (3) suspected spyware dialer: c:\windows\system32\config\4c78b5d941a497f78612b3fd2c1ee4ef\smss.exe.

Superantispyware finds (2) which it identifies as rootkit.NDT2, as well as a Trojan.downloader: C:\WINDOWS\SYSTEM32\PERFS.EXE.

The Prevx free scan added a few more malware candidates.

Ad-Aware SE and Windows Defender, tried first, found only cookies.

The infection resists removal. (1), (2) and (3) have all been quarantined by Trend Micro or Superantispyware, but they reappear and are detected byTM’s realtime scan.

Interesting: twice I’ve opened a folder and watched Back[1].exe disappear a blink later. Is this STEALTH behavior?

Should I try to clean up this malware, or reformat & reinstall? TM’s realtime warnings about NDT2.sys and smss.exe appear frequently.

Three scan logs follow, in the order in which the scans were run: HijackThis, Superantispyware, and GMER (“hidden” processes near end were red highlighted). I had SAS delete detected items but NDT2.sys and Back[1].exe have reappeared and I expect to see smss.exe soon. Finally, I’ve included the current “perfs” log found in the System32 folder. Is this a malware-created log?

Thanks for your help!!

***********************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:39 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\osk.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ˇˇˇˇˇˇˇˇˇˇˇˇ
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\perfs.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Global Startup: MSSQL$PARAGON.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://daar.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142908040937
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://daar.fnismls.com/Paragon/Codebase/SystemChecker.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cascade.local
O17 - HKLM\Software\..\Telephony: DomainName = Cascade.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cascade.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Portable Media Service - Unknown owner - C:\WINDOWS\System32\wmdmpmsn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: sylreto - Unknown owner - C:\242.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Media_Player - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Sevice.exe
O23 - Service: Windows System Hardware BackUp (WindowsSystemHDBackUp) - Unknown owner - C:\WINDOWS\System32\ˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇ
O23 - Service: Windows System Restore Backup (WindowsSystemRestoreBackup) - Unknown owner - C:\WINDOWS\System32\ˇˇˇˇˇˇˇˇˇˇˇˇ
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9717 bytes

************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2008 at 11:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 01:34:13

Memory items scanned : 508
Memory threats detected : 1
Registry items scanned : 5371
Registry threats detected : 2
File items scanned : 35014
File threats detected : 4

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\SYSTEM32\PERFS.EXE
HKLM\System\ControlSet001\Services\perfmons
HKLM\System\CurrentControlSet\Services\perfmons
C:\WINDOWS\Prefetch\PERFS.EXE-0D42F62E.pf

Rootkit.NDT2
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\Prefetch\NDT2.SYS-22D24E1A.pf

*******************************

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2008-01-20 11:29:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwClose
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwConnectPort
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwCreateProcess
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\ndqtyo.sys ZwDeviceIoControlFile
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\ndqtyo.sys ZwQueryDirectoryFile
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2399 805013B9 3 Bytes [ FC, CA, A9 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23F0 80501410 8 Bytes [ 10, F3, CA, A9, E0, F5, CA, ... ]
PAGE ntkrnlpa.exe!ZwSetSystemInformation + 370 80605048 1 Byte [ 00 ]
PAGE ntkrnlpa.exe!ZwSetSystemInformation + 3FD 806050D5 5 Bytes [ 58, 90, 90, 90, 90 ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2072] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe[2160] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[2360] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\explorer.exe[2360] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\explorer.exe[2360] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\WINDOWS\explorer.exe[2360] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\explorer.exe[2360] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[2360] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\explorer.exe[2360] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\explorer.exe[2360] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[2360] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 23, 5F ]
.text C:\WINDOWS\system32\wuauclt.exe[2432] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 20, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2912] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[3032] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[3040] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[3096] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3120] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[3144] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\alg.exe[3180] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\1XConfig.exe[3268] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe[3280] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[3304] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 73, EB, C3, 83 ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\a-squared Anti-Dialer\a2adguard.exe[3376] shell32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 17, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 1A, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 14, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 11, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 0E, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 23, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 1D, 5F ]
.text C:\DOCUME~1\Fiero\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3384] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 20, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] WS2_32.dll!connect 71AB406A 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] WS2_32.dll!listen 71AB88D3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[3532] SHELL32.dll!Shell_NotifyIconW 7CA261F5 6 Bytes [ FF, 25, 1E, 00, 17, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtOpenProcess 7C90DD7B 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtOpenProcess + 4 7C90DD7F 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3576] kernel32.dll!WriteProcessMemory

Back to top
View users profile Send private message
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Sun Jan 20, 2008 6:51 pm    Post subject:
Reply with quote

Here's what I suggest that you do. You may have malware or possibly even a rootkit, but we should start at the beginning, and diagnose all problems. To get started, I recommend that you follow CastleCops' Malware Removal and Prevention procedure, a new system CastleCops devised to enable users to either partially, or fully clean their systems without the direct aid of an expert.

You will find the Malware Removal and Prevention Procedure here:

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

If that doesn't fix the problem, then go to this Forum, read the instructions at the top of the page carefully:

CastleCops Link/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Follow these instructions:

CastleCops Link/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

and one of CC's trained 1st Responders or Security Experts will help you. If they determine that you do have a rootkit that requires our assistance, you will then be referred back to this forum for more help. This way, you can have your system comprehensively and systematically cleaned of all malware and rootkits if there are any.

You might also want to read this to learn more about rootkits:

http://wiki.castlecops.com/Rooting_Out_the_Dangers:_Rootkit_Removal_for_Beginners


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
isthatso

Cadet
Cadet
Premium Member

Joined: Jan 16, 2008
Posts: 2
Location: USA
Premium

PostPosted: Mon Jan 21, 2008 5:11 pm    Post subject:
Reply with quote

Thanks, I'll do as you suggest!
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
169ppm 0.410s (0.069s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer