Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Win32/Mebroot.K

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zamčeno
Zpráva
Autor
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#346 Příspěvek od Sikec »

Tady je log z CF... co dál, už je pc čisté?

ComboFix 09-02-08.02 - Tomas 2009-02-09 22:18:44.1 - NTFSx86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1535.1269 [GMT 1:00]
Spuštěný z: c:\documents and settings\Tomas\Plocha\ComboFix.exe
AV: Eset NOD32 Antivirus 2.0 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *enabled*

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tomas\Data aplikací\QNVW601P.dll
c:\program files\INSTALL.LOG
c:\program files\Seekmo Programs
c:\windows\system32\mdm.exe
c:\windows\tmlpcert2005

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_WinDriver


((((((((((((((((((((((((( Soubory vytvořené od 2009-01-09 do 2009-02-09 )))))))))))))))))))))))))))))))
.

2040-11-09 12:38 . 2005-12-16 12:29 <DIR> d-------- c:\program files\Web Page Maker V2
2010-03-29 21:54 . 2006-12-31 11:35 <DIR> d-------- c:\program files\SlySoft
2009-02-09 17:55 . 2009-02-09 17:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-09 17:53 . 2009-02-09 17:53 <DIR> d-------- c:\windows\ERUNT
2009-02-09 17:53 . 2001-08-18 12:00 1,688 --a------ c:\windows\system32\AUTOEXEC.NT
2009-02-09 17:48 . 2009-02-09 18:10 <DIR> d-------- C:\SDFix
2009-02-09 17:24 . 2009-02-09 17:24 <DIR> d-------- c:\documents and settings\Tomas\DoctorWeb
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\Tomas\Data aplikací\Ashampoo
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ashampoo
2009-01-23 16:02 . 2009-01-23 16:02 <DIR> d-------- c:\program files\QO Developments
2009-01-14 00:09 . 2009-01-14 00:09 1,597,440 --a------ C:\t2fo.d

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:14 66,796 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-02-09 20:58 --------- d-----w c:\program files\ESET
2009-02-09 19:05 --------- d-----w c:\program files\SMS
2009-02-09 08:50 --------- d-----w c:\program files\Ashampoo
2009-02-04 16:30 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Canon
2009-01-04 23:13 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Skype
2009-01-04 14:23 --------- d-----w c:\program files\Formica4.40
2009-01-02 10:32 --------- d-----w c:\program files\Google
2009-01-02 00:14 --------- d-----w c:\documents and settings\All Users\Data aplikací\285D
2009-01-01 23:16 --------- d-----w c:\program files\ICQ6.5
2009-01-01 16:46 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Apple Computer
2009-01-01 16:18 --------- d-----w c:\program files\ICQ6
2008-12-31 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-31 18:41 --------- d-----w c:\program files\Java
2008-12-21 22:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\233B9
2008-12-19 12:30 --------- d-----w c:\documents and settings\All Users\Data aplikací\201D4
2008-12-19 12:06 --------- d-----w c:\documents and settings\All Users\Data aplikací\182AF
2008-12-11 19:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 14:56 --------- d-----w c:\program files\Common Files\Motive
2008-12-10 14:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\Motive
2008-12-10 11:59 --------- d-----w c:\program files\TO2SAM
2003-07-31 09:53 147,456 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 -c--a-w c:\windows\inf\EL2K_2K.sys
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2004-09-21 778240]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 c:\windows\system32\TCAUDIAG.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tomas\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.EM2V"= EtxCodec.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Tomas\Data aplikací\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2002-07-29 10:54 473088 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-09-26 286720]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-09-26 81920]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys [2006-06-22 131712]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-04 19534]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]
S3 cpuz129;cpuz129;\??\c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [2008-08-13 23600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279b634f-832f-11dc-a01f-101111111111}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
.
Obsah adresáře 'Naplánované úlohy'

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2007-11-11 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 15:52]

2005-05-09 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2005-12-09 11:44]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-ICQ - c:\program files\ICQ6\ICQ.exe
MSConfigStartUp-Svátky a výročí - c:\program files\OKsoftware\Svátky a výročí\Vyroci.exe


.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... xpt119YYCZ
IE: E&xportovat do aplikace Microsoft Excel - g:\office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Najdi na mapě
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\program files\Pc Translator\WEBIE.DLL
LSP: imon.dll
TCP: {728ADE8D-21E8-455B-AF73-D04191D13B19} = 10.3.3.1,212.24.128.8
TCP: {7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6} = 194.228.2.1,194.228.41.113
TCP: {F823DDD0-C493-4146-817D-37F9B756BC26} = 194.228.2.1,194.228.41.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {030735DF-13FE-4560-8B57-CE341E8EAAA2} - mk:@MSITStore:d:\html\instal.chm::/Install/Mg3D.cab
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} - hxxp://www.bezpecnyinternet.cz/SBI.cab
DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} - hxxp://jav.webreport.cz/sdp/dload/10051_13_CZ_dload.exe
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} - hxxp://xtraz.icq.com/xtraz/activex/MISBH.cab
FF - ProfilePath - c:\documents and settings\Tomas\Data aplikací\Mozilla\Firefox\Profiles\d9wfof9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
.
------- Asociace souborů -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:25:58
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Andreas Haak\a*Ű]
"Language"="English"
"Expires"="1/1/3000 :)"
"Last"="30.9.2007"

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Andreas Haak\a*Ű]
"User"="sikecxixao@seznam.cz"
"Code"="biyisini27"
"License"=dword:00000001
"Active"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Atelier Web\AWRC***]
"HD"="??????2"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-02-09 22:30:10 - počítač byl restartován [Tomas]
ComboFix-quarantined-files.txt 2009-02-09 21:29:59

Před spuštěním: 2,752,344,064
Po spuštění: 2,603,651,072

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
239 --- E O F --- 2009-01-14 15:05:19
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#347 Příspěvek od stell »

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279b634f-832f-11dc-a01f-101111111111}]
File::
c:\Recycled\ctfmon.exe
RegLock::
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Andreas Haak\a*Ű]
[HKEY_LOCAL_MACHINE\software\Andreas Haak\a*Ű]
[HKEY_LOCAL_MACHINE\software\Atelier Web\AWRC***]
FileLook::
C:\t2fo.d
Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :
Obrázek

Po skonceni skenu vlož log čo ComboFix vytvorí
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#348 Příspěvek od Sikec »

mám udělat ještě nějakej scan? Právě jsem vygeneroval čárový kód k zaslání příspěvku přes terminál sazky... Vážím si Vaší pomoci!!

Provedu. Ale nedaří se mi vypnout ten rezidentní štít nodu. vadí to?
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#349 Příspěvek od stell »

Dakujeme. :)
nevadi,nemusis vypnut rezident NOD ignoruj varovanie,sprav co som napisal a zajtra pokracujeme log vloz sem.
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#350 Příspěvek od Sikec »

Už se tedy nemusím bát MebRootu? Tady je log:

ComboFix 09-02-08.02 - Tomas 2009-02-09 23:01:58.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1535.1124 [GMT 1:00]
Spuštěný z: c:\documents and settings\Tomas\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Tomas\Plocha\CFScript.txt
AV: Eset NOD32 Antivirus 2.0 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení

FILE ::
c:\recycled\ctfmon.exe
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-01-09 do 2009-02-09 )))))))))))))))))))))))))))))))
.

2040-11-09 12:38 . 2005-12-16 12:29 <DIR> d-------- c:\program files\Web Page Maker V2
2010-03-29 21:54 . 2006-12-31 11:35 <DIR> d-------- c:\program files\SlySoft
2009-02-09 17:55 . 2009-02-09 17:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-09 17:53 . 2009-02-09 17:53 <DIR> d-------- c:\windows\ERUNT
2009-02-09 17:53 . 2001-08-18 12:00 1,688 --a------ c:\windows\system32\AUTOEXEC.NT
2009-02-09 17:48 . 2009-02-09 18:10 <DIR> d-------- C:\SDFix
2009-02-09 17:24 . 2009-02-09 17:24 <DIR> d-------- c:\documents and settings\Tomas\DoctorWeb
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\Tomas\Data aplikací\Ashampoo
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ashampoo
2009-01-23 16:02 . 2009-01-23 16:02 <DIR> d-------- c:\program files\QO Developments
2009-01-14 00:09 . 2009-01-14 00:09 1,597,440 --a------ C:\t2fo.d

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:14 66,796 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-02-09 20:58 --------- d-----w c:\program files\ESET
2009-02-09 19:05 --------- d-----w c:\program files\SMS
2009-02-09 08:50 --------- d-----w c:\program files\Ashampoo
2009-02-04 16:30 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Canon
2009-01-04 23:13 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Skype
2009-01-04 14:23 --------- d-----w c:\program files\Formica4.40
2009-01-02 10:32 --------- d-----w c:\program files\Google
2009-01-02 00:14 --------- d-----w c:\documents and settings\All Users\Data aplikací\285D
2009-01-01 23:16 --------- d-----w c:\program files\ICQ6.5
2009-01-01 16:46 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Apple Computer
2009-01-01 16:18 --------- d-----w c:\program files\ICQ6
2008-12-31 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-31 18:41 --------- d-----w c:\program files\Java
2008-12-21 22:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\233B9
2008-12-19 12:30 --------- d-----w c:\documents and settings\All Users\Data aplikací\201D4
2008-12-19 12:06 --------- d-----w c:\documents and settings\All Users\Data aplikací\182AF
2008-12-11 19:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 14:56 --------- d-----w c:\program files\Common Files\Motive
2008-12-10 14:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\Motive
2008-12-10 11:59 --------- d-----w c:\program files\TO2SAM
2003-07-31 09:53 147,456 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 -c--a-w c:\windows\inf\EL2K_2K.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\t2fo.d -- Not a PE file.
MD5: 2fc2e0b3ba1159f7f8b49cd4df53f646


((((((((((((((((((((((((((((( SnapShot@2009-02-09_22.27.44.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2009-02-07 18:06:33 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-02-09 21:44:19 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-02-09 22:17:20 16,384 ----atw c:\windows\temp\Perflib_Perfdata_700.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2004-09-21 778240]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 c:\windows\system32\TCAUDIAG.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tomas\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.EM2V"= EtxCodec.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Tomas\Data aplikací\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2002-07-29 10:54 473088 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-09-26 286720]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-09-26 81920]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys [2006-06-22 131712]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-04 19534]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]
S3 cpuz129;cpuz129;\??\c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [2008-08-13 23600]
.
Obsah adresáře 'Naplánované úlohy'

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2007-11-11 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 15:52]

2005-05-09 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2005-12-09 11:44]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... xpt119YYCZ
IE: E&xportovat do aplikace Microsoft Excel - g:\office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Najdi na mapě
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\program files\Pc Translator\WEBIE.DLL
LSP: imon.dll
TCP: {728ADE8D-21E8-455B-AF73-D04191D13B19} = 10.3.3.1,212.24.128.8
TCP: {7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6} = 194.228.2.1,194.228.41.113
TCP: {F823DDD0-C493-4146-817D-37F9B756BC26} = 194.228.2.1,194.228.41.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {030735DF-13FE-4560-8B57-CE341E8EAAA2} - mk:@MSITStore:d:\html\instal.chm::/Install/Mg3D.cab
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} - hxxp://www.bezpecnyinternet.cz/SBI.cab
DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} - hxxp://jav.webreport.cz/sdp/dload/10051_13_CZ_dload.exe
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} - hxxp://xtraz.icq.com/xtraz/activex/MISBH.cab
FF - ProfilePath - c:\documents and settings\Tomas\Data aplikací\Mozilla\Firefox\Profiles\d9wfof9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 23:17:50
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Andreas Haak\a*Ű]
"Language"="English"
"Expires"="1/1/3000 :)"
"Last"="30.9.2007"

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Andreas Haak\a*Ű]
"User"="sikecxixao@seznam.cz"
"Code"="biyisini27"
"License"=dword:00000001
"Active"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Atelier Web\AWRC***]
"HD"="??????2"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kerio\Personal Firewall 4\kpf4ss.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Kerio\Personal Firewall 4\kpf4gui.exe
c:\program files\Kerio\Personal Firewall 4\kpf4gui.exe
.
**************************************************************************
.
Celkový čas: 2009-02-09 23:23:15 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-02-09 22:23:03
ComboFix2.txt 2009-02-09 21:30:15

Před spuštěním: 2 559 135 744
Po spuštění: 2,538,094,592

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
239 --- E O F --- 2009-01-14 15:05:19
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#351 Příspěvek od stell »

ok,zajtra to skontrolujem ok,dnes uz nevidim poriadne na log... :D
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#352 Příspěvek od stell »

otestujte na VIRUSTOTALu
C:\t2fo.d
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

mas tu velmi zaujimave a zaroven nebezpecne veci,hovori ti nieco program
Atelier Web Remote Commander ??a \Software\Andreas Haak???
http://www.studna.cz/2697/pocitacove-si ... commander/
stiahnes G-Mer-log c1,2 vloz sem
http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#353 Příspěvek od Sikec »

Ty programy neznám! Jestli jsou nebezpečné, řekněte mi, jak je smazat. Stejně se chystám (nejlépe s Vaší pomocí) PC vyčistit.

Tady je výsledek testu:

Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.0.0.93 2009.02.10 -
AhnLab-V3 5.0.0.2 2009.02.10 -
AntiVir 7.9.0.76 2009.02.10 -
Authentium 5.1.0.4 2009.02.10 -
Avast 4.8.1335.0 2009.02.09 -
AVG 8.0.0.229 2009.02.09 -
BitDefender 7.2 2009.02.10 -
CAT-QuickHeal 10.00 2009.02.10 -
ClamAV 0.94.1 2009.02.10 -
Comodo 972 2009.02.09 -
DrWeb 4.44.0.09170 2009.02.10 -
eSafe 7.0.17.0 2009.02.09 -
eTrust-Vet 31.6.6348 2009.02.10 -
F-Prot 4.4.4.56 2009.02.09 -
F-Secure 8.0.14470.0 2009.02.10 -
Fortinet 3.117.0.0 2009.02.10 -
GData 19 2009.02.10 -
Ikarus T3.1.1.45.0 2009.02.10 -
K7AntiVirus 7.10.624 2009.02.09 -
Kaspersky 7.0.0.125 2009.02.10 -
McAfee 5521 2009.02.10 -
McAfee+Artemis 5521 2009.02.09 -
Microsoft 1.4306 2009.02.09 -
NOD32 3841 2009.02.10 -
Norman 6.00.02 2009.02.09 -
nProtect 2009.1.8.0 2009.02.10 -
Panda 9.5.1.2 2009.02.09 -
PCTools 4.4.2.0 2009.02.09 -
Prevx1 V2 2009.02.10 -
Rising 21.16.12.00 2009.02.10 -
SecureWeb-Gateway 6.7.6 2009.02.10 -
Sophos 4.38.0 2009.02.10 -
Sunbelt 3.2.1847.2 2009.02.07 -
Symantec 10 2009.02.10 -
TheHacker 6.3.1.5.250 2009.02.09 -
TrendMicro 8.700.0.1004 2009.02.10 -
VBA32 3.12.8.12 2009.02.10 -
ViRobot 2009.2.10.1599 2009.02.10 -
VirusBuster 4.5.11.0 2009.02.09 -
Rozšiřující informace
File size: 1597440 bytes
MD5...: 2fc2e0b3ba1159f7f8b49cd4df53f646
SHA1..: 1f3067e1308344a402678dc2d7238436733aa6e7
SHA256: ccaf0f6dcc1d22cf284c7cc0d0c7d1ffd53ca6e23d9e07739cf22498fc3ca580
SHA512: a7e83d85acb4065013b8f7c21f53790704d8f17776bf78afab2d83d7225b6eb9
04023560168446733571e834c2adc83449478117c94c5eaa65cdb70a915d0d04
ssdeep: 12288:3cG5Ajo6vIr+0IA9jY/USRQYV4gA7HZNZbznHp8RcTA8RoEUIKiTu+:XXK
q+xDm1PtZR31Tu+
PEiD..: -
TrID..: File type identification
Windows Bitmap (100.0%)
PEInfo: -

Tady je Log 1 z GMER:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-10 11:29:06
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A77A4D0

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset)

Device \FileSystem\Fastfat \Fat 8A35FEB0

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset)
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----
Naposledy upravil(a) Sikec dne 10 úno 2009 11:30, celkem upraveno 1 x.
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#354 Příspěvek od stell »

no su zakopane v registri ale vydolujeme ich
tento program este mas??pouzivas>>c:\program files\XoftSpy\XoftSpy.exe
spust G-Mer.
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#355 Příspěvek od Sikec »

Mám ten program ale nepoužívám ho. Teď běží druhý scan GMERu. Týká se ale jen disku C. Neměl bych zatrhnout i ostatní disky? I když je to jen jeden disk rozdělen na víc částí.
Nahoru
Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:
Kontaktovat uživatele stell

Re: Win32/Mebroot.K

#356 Příspěvek od stell »

ano zatrhni vsetky ..
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
Obrázek
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#357 Příspěvek od Sikec »

Hm.. Škoda. v tom návodu co jsem četl byly na obrázku 3 disky a zatrhnut byl jen jeden. nedošlo mi to. Omlouvám se. Teď běží znovu druhý scan se všemi disky. Vkládám alespoň log scanu disku C:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-10 11:39:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwClose [0xB0841435]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwCreateFile [0xB0840C5C]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwCreateKey [0xB083D0B0]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwCreateProcess [0xB0840031]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwCreateProcessEx [0xB083FEAE]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwCreateThread [0xB0840693]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwDeleteFile [0xB08414B5]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwDeleteKey [0xB083D4E1]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwDeleteValueKey [0xB083D574]
SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver [0xB06208B0]
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection [0xB0620A20]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwOpenFile [0xB0840F27]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwOpenKey [0xB083D307]
SSDT sptd.sys ZwQueryKey [0xF750C0C0]
SSDT sptd.sys ZwQueryValueKey [0xF750BF58]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwResumeThread [0xB084071F]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwSetInformationFile [0xB0841229]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwSetValueKey [0xB083D67D]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies) ZwWriteFile [0xB0841186]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Proces nemá přístup k souboru, neboť jej právě využívá jiný proces.
? C:\WINDOWS\System32\Drivers\SPTD9661.SYS Proces nemá přístup k souboru, neboť jej právě využívá jiný proces.
PAGENDSM NDIS.sys!NdisMIndicateStatus F7A3C9EF 6 Bytes JMP B08351EC \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 BAC3A4D0 16 Bytes [ 6E, 39, F7, 0E, C4, DB, 5D, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 BAC3A4E1 26 Bytes [ 90, C3, BA, 1D, 8F, 0C, C9, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 2C BAC3A4FC 4 Bytes [ 83, 3D, E1, 2B ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys Proces nemá přístup k souboru, neboť jej právě využívá jiný proces.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Eset\nod32krn.exe[216] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Eset\nod32krn.exe[216] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Eset\nod32krn.exe[216] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Eset\nod32krn.exe[216] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Eset\nod32krn.exe[216] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Eset\nod32krn.exe[216] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[468] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[536] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\Ati2evxx.exe[608] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\Ati2evxx.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\Ati2evxx.exe[608] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[764] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[812] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[812] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[812] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[812] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[812] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[812] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[812] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[896] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[896] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateThread 7C8106C7 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!WinExec 7C8623AD 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[988] KERNEL32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[988] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[988] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[1012] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[1012] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[1012] WS2_32.dll!socket 71A94211 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[1012] WS2_32.dll!bind 71A94480 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[1012] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[1064] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[1064] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[1076] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[1076] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00080EC8
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Motive\McciCMService.exe[1196] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\System32\Ati2evxx.exe[1240] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#358 Příspěvek od Sikec »

Bylo to moc dlouhé a tak jsem to rozdělil:

7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00080EC8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1540] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1556] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Eset\nod32kui.exe[1596] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Eset\nod32kui.exe[1596] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Eset\nod32kui.exe[1596] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00030090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00030694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00030234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00030004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0003011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0003057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0003034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00030464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00030608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WS2_32.dll!socket 71A94211 5 Bytes JMP 000308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WS2_32.dll!bind 71A94480 5 Bytes JMP 00030838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00030950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00030720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00030F54
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00030FE0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00030D24
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00030DB0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00030E3C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe[1600] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00030EC8
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1608] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\DAEMON Tools\daemon.exe[1628] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1656] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1704] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1704] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1704] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1704] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1704] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1704] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1748] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00130F54
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00130FE0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00130D24
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00130DB0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00130E3C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00130EC8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] ws2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] ws2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jusched.exe[1756] ws2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[1772] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[1772] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[1772] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[2628] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[2628] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[2628] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[2628] WS2_32.dll!socket 71A94211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[2628] WS2_32.dll!bind 71A94480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[2628] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00080950
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe[2684] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WS2_32.dll!socket 71A94211 5 Bytes JMP 001308C4
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WS2_32.dll!bind 71A94480 5 Bytes JMP 00130838
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WS2_32.dll!connect 71A94A07 5 Bytes JMP 00130950
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetConnectA 4454499A 5 Bytes JMP 00130F54
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetConnectW 44545B88 5 Bytes JMP 00130FE0
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetOpenA 4454C865 5 Bytes JMP 00130D24
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetOpenW 4454CE99 5 Bytes JMP 00130DB0
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetOpenUrlA 44550BCA 5 Bytes JMP 00130E3C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3176] WININET.dll!InternetOpenUrlW 4459AEB9 5 Bytes JMP 00130EC8
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] USER32.DLL!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC
.text C:\Documents and Settings\Tomas\Plocha\gmer.exe[3752] USER32.DLL!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7514DB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A71E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7514F6E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7514E06] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7507A32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7507B6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7507AF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75086CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75085A2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \WINDOWS\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7519F78] sptd.sys
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#359 Příspěvek od Sikec »

IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B0835040] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B083505B] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B08350DF] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B0835102] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B08350DF] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B083505B] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B0835040] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseCall] [B0835995] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClMakeCall] [B0835898] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoDeleteVc] [B08357DA] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoCreateVc] [B0835689] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B0835040] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B083505B] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClOpenAddressFamily] [B0835EAD] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseAddressFamily] [B083616A] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoSendPackets] [B0835541] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B0835102] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B08350DF] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [B0835102] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [B0835040] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [B083505B] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [B08350DF] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B08350DF] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B0835102] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B0835040] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B083505B] \SystemRoot\system32\drivers\fwdrv.sys (Kerio Technologies)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A77A4D0

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset)

Device \FileSystem\Fastfat \FatCdrom 8A35FEB0

AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{F823DDD0-C493-4146-817D-37F9B756BC26} 8A372EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A77AC78
Device \Driver\dmio \Device\DmControl\DmConfig 8A77AC78
Device \Driver\dmio \Device\DmControl\DmPnP 8A77AC78
Device \Driver\dmio \Device\DmControl\DmInfo 8A77AC78

AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A77AEB0
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A77AEB0
Device \Driver\Cdrom \Device\CdRom0 8A5F0CE0
Device \FileSystem\Rdbss \Device\FsWrap 8A343928
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A77AEB0
Device \Driver\Cdrom \Device\CdRom1 8A5F0CE0
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A77AEB0
Device \Driver\Cdrom \Device\CdRom2 8A5F0CE0
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A77AEB0
Device \Driver\Ftdisk \Device\HarddiskVolume6 8A77AEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A372EB0
Device \Driver\NetBT \Device\NetbiosSmb 8A372EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{FE5F1C5E-01EE-4B33-A674-39B8D729E76C} 8A372EB0

AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Disk \Device\Harddisk0\DR0 8A77A788

AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys (Kerio Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\00000145 \Device\0000006a sptd.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A346A50
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A346A50
Device \FileSystem\Npfs \Device\NamedPipe 8A37FD58
Device \Driver\Ftdisk \Device\FtControl 8A77AEB0
Device \FileSystem\Msfs \Device\Mailslot 8A386EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6} 8A372EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 8A5DBD78
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A5DBD78
Device \FileSystem\Fastfat \Fat 8A35FEB0

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset)

Device \FileSystem\Cdfs \Cdfs 89F71EB0

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x97 0x0C 0xE0 0xCB ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1D 0x8D 0xBB 0x8C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0xD4 0x98 0x8A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0x8A 0x4E 0x60 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x97 0x0C 0xE0 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1D 0x8D 0xBB 0x8C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0xD4 0x98 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0x8A 0x4E 0x60 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 771055298
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 573309940
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 607114303
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x97 0x0C 0xE0 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1D 0x8D 0xBB 0x8C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0xD4 0x98 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0x8A 0x4E 0x60 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x97 0x0C 0xE0 0xCB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1D 0x8D 0xBB 0x8C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0xD4 0x98 0x8A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0x8A 0x4E 0x60 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x97 0x0C 0xE0 0xCB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1D 0x8D 0xBB 0x8C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0xD4 0x98 0x8A ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0x8A 0x4E 0x60 ...

---- EOF - GMER 1.0.14 ----


Co udělat proto aby to nemělo tolik řádků? Takhle sem ten drůhý log všech disků nedostanu...
Nahoru
Sikec
Návštěvník
Návštěvník
Příspěvky: 30
Registrován: 08 úno 2009 21:34

Re: Win32/Mebroot.K

#360 Příspěvek od Sikec »

upnul jsem ten druhý log z Gmeru sem: http://uloz.to/1292460/Log 2 všeho.log
Nahoru
Zamčeno

Zpět na „Řešení problémů, logy“