Troj/Rustok-N

Below is the report I received from Hijackthis. Could someone please tell me what the next step is? thanks.



Scan saved at 11:08:06 PM, on 12/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PGI7903\hijackgpthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 2793 bytes

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Here is the report combofix gave me. Please let me know what to do next:



ComboFix 08-12-24.01 - Michael 2008-12-24 20:04:16.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.3061.2224 [GMT -5:00]
Running from: c:\users\Michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TEACico2.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-24 22:34 . 2008-12-24 19:42 d-------- c:\windows\Debug
2008-12-24 22:32 . 2008-12-24 22:32 d-------- c:\windows\System32\OEM
2008-12-24 22:32 . 2008-12-24 22:40 d-------- c:\windows\Panther
2008-12-24 22:32 . 2008-12-24 22:32 d--hs---- C:\Boot
2008-12-24 22:32 . 2006-11-02 04:53 438,840 -rahs---- C:\bootmgr
2008-12-24 22:32 . 2008-12-24 22:32 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-12-24 22:32 . 2007-02-21 14:56 36 -rah----- c:\windows\DELL_VERSION
2008-12-24 19:59 . 2008-12-24 19:59 d-------- c:\users\Michael\AppData\Roaming\SUPERAntiSpyware.com
2008-12-24 19:59 . 2008-12-24 19:59 d-------- c:\users\All Users\SUPERAntiSpyware.com
2008-12-24 19:59 . 2008-12-24 19:59 d-------- c:\programdata\SUPERAntiSpyware.com
2008-12-24 19:59 . 2008-12-24 19:59 d-------- c:\program files\SUPERAntiSpyware
2008-12-24 19:59 . 2008-12-24 19:59 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-24 19:56 . 2008-12-24 19:56 19,508 --a------ c:\windows\System32\results.xml
2008-12-24 19:53 . 2007-04-13 13:22 228,224 --a------ c:\windows\System32\drivers\e1e6032.sys
2008-12-24 19:53 . 2007-01-17 15:59 179,048 --a------ c:\windows\System32\e1000msg.dll
2008-12-24 19:53 . 2007-04-12 11:47 154,496 --a------ c:\windows\System32\Prounstl.exe
2008-12-24 19:53 . 2007-03-07 16:20 39,288 --a------ c:\windows\System32\NicInE6.dll
2008-12-24 19:53 . 2007-03-07 12:35 28,536 --a------ c:\windows\System32\NicCo6.dll
2008-12-24 19:53 . 2007-03-07 15:41 2,689 --a------ c:\windows\System32\e1e6032.din
2008-12-24 19:53 . 2006-01-12 14:52 1,904 --------- c:\windows\System32\SetupBD.din
2008-12-24 19:48 . 2008-12-24 19:48 d-------- c:\windows\System32\RTCOM
2008-12-24 19:48 . 2008-12-24 19:54 d-------- c:\windows\LastGood.Tmp
2008-12-24 19:48 . 2008-12-24 19:54 d-------- c:\program files\Intel
2008-12-24 19:48 . 2008-12-24 19:57 d-------- C:\Intel
2008-12-24 19:47 . 2008-12-24 19:47 d-------- c:\program files\Realtek
2008-12-24 19:47 . 2008-12-24 19:47 d--h----- c:\program files\InstallShield Installation Information
2008-12-24 19:47 . 2008-12-24 19:47 d-------- c:\program files\Dell
2008-12-24 19:47 . 2008-12-24 19:47 d-------- c:\program files\Common Files\InstallShield
2008-12-24 19:44 . 2008-12-24 19:44 dr------- c:\users\Michael\Searches
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Videos
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Saved Games
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Pictures
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Music
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Links
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Downloads
2008-12-24 19:43 . 2008-12-24 19:44 dr------- c:\users\Michael\Documents
2008-12-24 19:43 . 2008-12-24 19:43 dr------- c:\users\Michael\Contacts
2008-12-24 19:43 . 2006-11-02 07:37 d-------- c:\users\Michael\AppData\Roaming\Media Center Programs
2008-12-24 19:43 . 2008-12-24 19:44 d--h----- c:\users\Michael\AppData
2008-12-24 19:43 . 2008-12-24 19:54 d-------- c:\users\Michael
2008-12-24 19:41 . 2008-12-24 19:41 dr------- c:\windows\System32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 00:47 319,456 ----a-w c:\windows\DIFxAPI.dll
2008-12-25 00:47 315,392 ----a-w c:\windows\HideWin.exe
2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-14 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-14 138008]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-02 c:\windows\RtHDVCpl.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

*Newly Created Service* - CATCHME
*Newly Created Service* - DXGKRNL
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 20:05:51
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-24 20:08:56
ComboFix-quarantined-files.txt 2008-12-25 01:08:55

Pre-Run: 234,378,108,928 bytes free
Post-Run: 234,390,974,464 bytes free

104

Hello.
Log looks clean, where did this rustock get detected? there was no usual signs of the rustock family.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I know it looks clean but it isn't. I checked it by going to a specific porn site and it didn't let me access it. Instead an error message came on the website saying that I have rustok-n. This problem just doesn't go away. Maybe I have something more than just rustok-n but I formatted both hard drive partitions and it still won't go away. What do I do now?

I think your problem is just that.
Stop visiting porn sites, otherwise you'll get infected and infected and infected.
Need I say more?

You really need to be careful when you surf.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

The thing is I keep trying to update different antivirus programs and they won't update so I obviously still have it. I will try what you just said but what if it doesn't work?

GMER does deeper than any other scanner.
But seriously, rustock presents with a static file name and uses ADS, combofix dected neither.

I know but I must have it or something else in addition to it since I cant update any antivirus or even windows vista updates either. Here is what GMER found:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-24 20:42:00
Windows 6.0.6000


---- System - GMER 1.0.14 ----

SSDT 87F67000 ZwAlpcConnectPort
SSDT 87F67005 ZwAssignProcessToJobObject
SSDT 87F6700A ZwConnectPort
SSDT 87F6700F ZwCreateFile
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0x8DB0C7A6]
SSDT 87F67019 ZwCreateProcess
SSDT 87F6701E ZwCreateProcessEx
SSDT 87F67023 ZwCreateThread
SSDT 87F6702D ZwDebugActiveProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0x8DB0D1F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0x8DB0D42A]
SSDT 87F67032 ZwDuplicateObject
SSDT 87F67037 ZwLoadDriver
SSDT 87F6703C ZwOpenKey
SSDT 87F67041 ZwOpenSection
SSDT 87F67046 ZwOpenThread
SSDT 87F67050 ZwProtectVirtualMemory
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0x8DB0E12A]
SSDT 87F6704B ZwResumeThread
SSDT 87F67055 ZwSecureConnectPort
SSDT 87F6705A ZwSetValueKey
SSDT 87F6705F ZwSuspendProcess
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8E2BBF20]
SSDT 87F67069 ZwWriteVirtualMemory
SSDT 87F67028 ZwCreateThreadEx
SSDT 87F67014 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 852 81C80BCE 2 Bytes [ F6, 87 ]
? C:\Windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Windows\Explorer.EXE[132] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\Explorer.EXE[132] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 4D, 5F ]
.text C:\Windows\Explorer.EXE[132] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\Explorer.EXE[132] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 3B, 5F ]
.text C:\Windows\Explorer.EXE[132] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F340F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F3D0F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\Explorer.EXE[132] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\Explorer.EXE[132] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\Explorer.EXE[132] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F400F5A
.text C:\Windows\Explorer.EXE[132] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\Explorer.EXE[132] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F4F0F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F520F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F460F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F430F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F490F5A
.text C:\Windows\Explorer.EXE[132] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F370F5A
.text C:\Windows\Explorer.EXE[132] SHELL32.dll!ShellExecuteEx 763E9D48 6 Bytes JMP 5F2E0F5A
.text C:\Windows\Explorer.EXE[132] SHELL32.dll!ShellExecuteW 763FCD3D 6 Bytes JMP 5F2B0F5A
.text C:\Windows\Explorer.EXE[132] SHELL32.dll!ShellExecuteExW 763FE654 6 Bytes JMP 5F310F5A
.text C:\Windows\Explorer.EXE[132] SHELL32.dll!ShellExecuteA 765DA3E8 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\wininit.exe[536] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\wininit.exe[536] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\wininit.exe[536] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\wininit.exe[536] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\wininit.exe[536] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\wininit.exe[536] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\wininit.exe[536] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\wininit.exe[536] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\services.exe[580] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\services.exe[580] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\services.exe[580] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\services.exe[580] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\services.exe[580] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\services.exe[580] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\services.exe[580] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\services.exe[580] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\services.exe[580] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\services.exe[580] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A

.text C:\Windows\system32\services.exe[580] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\services.exe[580] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\taskeng.exe[788] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\taskeng.exe[788] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 4D, 5F ]
.text C:\Windows\system32\taskeng.exe[788] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\taskeng.exe[788] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 3B, 5F ]
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\taskeng.exe[788] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F400F5A
.text C:\Windows\system32\taskeng.exe[788] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\taskeng.exe[788] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F4F0F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A

.text C:\Windows\system32\taskeng.exe[788] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F520F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F490F5A
.text C:\Windows\system32\taskeng.exe[788] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\taskeng.exe[788] SHELL32.dll!ShellExecuteEx 763E9D48 6 Bytes JMP 5F2E0F5A
.text C:\Windows\system32\taskeng.exe[788] SHELL32.dll!ShellExecuteW 763FCD3D 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\taskeng.exe[788] SHELL32.dll!ShellExecuteExW 763FE654 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\taskeng.exe[788] SHELL32.dll!ShellExecuteA 765DA3E8 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\svchost.exe[856] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 4D, 5F ]
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 3B, 5F ]
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F340F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F3D0F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A

Its much longer but its taking forever to copy and paste it all. any easier way to do this?

Is there any part of the log further down the bottom that says something like this?

<---- ROOTKIT !!!!

upload it to here for me:
sendspace.com

Last edited by Belahzur on 25th December 2008, 1:47 am; edited 1 time in total

.text C:\Windows\System32\svchost.exe[908] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F400F5A
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F4F0F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F520F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F460F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F430F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F490F5A
.text C:\Windows\System32\svchost.exe[908] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F370F5A
.text C:\Windows\System32\svchost.exe[908] SHELL32.dll!ShellExecuteEx 763E9D48 6 Bytes JMP 5F2E0F5A
.text C:\Windows\System32\svchost.exe[908] SHELL32.dll!ShellExecuteW 763FCD3D 6 Bytes JMP 5F2B0F5A
.text C:\Windows\System32\svchost.exe[908] SHELL32.dll!ShellExecuteExW 763FE654 6 Bytes JMP 5F310F5A
.text C:\Windows\System32\svchost.exe[908] SHELL32.dll!ShellExecuteA 765DA3E8 6 Bytes JMP 5F280F5A
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 41, 5F ]
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 2F, 5F ]
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F280F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F310F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryA 75BE9A9E 6 Bytes JMP 5F160F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateRemoteThread 75C03587 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateRemoteThread + 4 75C0358B 2 Bytes [ 05, 5F ]
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!GetProcAddress 75C04120 6 Bytes JMP 5F130F5A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!DebugActiveProcess 75C48CC0 6 Bytes JMP 5F340F5A
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!LsaRemoveAccountRights 772A8889 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!CreateServiceA 772C3C41 6 Bytes JMP 5F430F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWindowsHookExA 76138912 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWindowsHookExW 76139135 6 Bytes JMP 5F1F0F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWinEventHook 76149C65 6 Bytes JMP 5F460F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!GetAsyncKeyState 76149FE1 6 Bytes JMP 5F3A0F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!GetKeyState 7614C2BE 6 Bytes JMP 5F370F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!DdeConnect 76183887 6 Bytes JMP 5F3D0F5A
.text C:\Windows\System32\svchost.exe[968] USER32.dll!EndTask 76184A3A 6 Bytes JMP 5F2B0F5A
.text C:\Windows\System32\svchost.exe[996] ntdll.dll!NtLoadDriver 7735FAA4 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[996] ntdll.dll!NtLoadDriver + 4 7735FAA8 2 Bytes [ 4D, 5F ]
.text C:\Windows\System32\svchost.exe[996] ntdll.dll!NtSuspendProcess 77360534 3 Bytes [ FF, 25, 1E ]
.text C:\Windows\System32\svchost.exe[996] ntdll.dll!NtSuspendProcess + 4 77360538 2 Bytes [ 3B, 5F ]
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!TerminateProcess 75BC18E0 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!WriteProcessMemory 75BC1C25 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessW 75BC1D27 6 Bytes JMP 5F250F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessA 75BC1D5C 6 Bytes JMP 5F220F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!WinExec 75BC32DF 6 Bytes JMP 5F340F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!TerminateThread 75BE6280 6 Bytes JMP 5F3D0F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 75BE95AF 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 75BE9727 6 Bytes JMP 5F190F5A

Nope, nothing that says rootkit

Now what? this doesnt make sense but somethings wrong with my computer

Could you upload the log to here:
www.sendspace.com

Lets see if this shows any rustock.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

This link takes you to the log:

http://www.sendspace.com/file/ppqtb6

it says access is denied and it wont let me use the program u posted

Question.

How did you know it's rustock? what scanner detected it and do you know where it found it?

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

No scanner detected rustok, they dont detect anything anymore but i know i have something since the website says I do and i cant update anything. what do i put into the script info box?

I ran avenger without putting anything into the script box and it found no rootkits either. It feels like im never gonna get rid of this thing.

I honestly don't think it's a rustock rootkit.
The avenger would of detected the hidden driver.

If it's just the one porn site telling you, stay away from the site, and stay away from porn sites altogether, otherwise you WILL get infected.

I don't know why stuff won't update, maybe broken internet access.

Press Start > Run (Right click "Run", select "Run as administrator"
Type in cmd, then press enter.

At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry.

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Type Exit press enter to return the operating mode.

Reboot normally.

Can you update stuff now.

I tried to run those files as you said and this is what I got:

regsvr32 urlmon.dll & regsvr32 Shell32.dll were the only ones that succeeded. The rest gave me error messages as follows:

1) regsvr32 Shdocvw.dll gave me an error message saying:

"The module Shdocvw.dll was loaded but the entry-point DllregisterServer was not found. Make sure that Shdocvw.dll is a valid DLL or OCX file and then try again"

2) regsvr32 Msjava.dll gave me an error message saying:

"The module Msjava.dll failed to load. Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files. The specified module could not be found."

3) regsvr32 Actxprxy.dll gave me an error message saying:

"The module Actxprxy.dll as loaded but the call to DllregisterServer failed with error code 0x80070005. For more information about this problem search online using the error code as a search term."

4) regsvr32 Oleaut32.dll, regsvr32 Mshtml.dll, and regsvr32 Browseui.dll all gave me the same error message as the one in #3.

Is this helpful? What next?

UAC problem again.

Click on Start, go to Programs -> Accessories, right click on Command Prompt and choose Run as administrator. You’ll be prompted to approve the action, and will then see a window that looks like this (notice the ‘Administrator:’ prefix!):



Now try the ones that didn't work again.

Now only these didnt work:

msjava.dll
mshtml.dll
browseui.dll

The others worked

Now what?

I'm not sure Vista has them files or not, I only know them instructions work for XP. I've only just noticed this.

You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

I have an antivirus on my computer but just got rid of all of them like 10 minutes ago because none of them can find the problem. I don't understand what your telling me. I have vista. so are you telling me you can't help me?

Now I just tried downloading antivir personal edition and I cant update the antivirus either.

It looks like nothing can remove this thing!!!!! I'm so freakin frustrated.

Hello.
I'm trying not to say that.
We've run rootkit scans and found nothing suspicious, nor does the CF log say anything.

It's not rustock causing this, but it's something.
I'm wondering if it's the UAC stopping updates.

What is the UAC?

It's a (very annoying) security feature in Vista.

so what do I do to check if thats the problem?

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "EnableLUA"=dword:00000000
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Can you update your AV now?

I did what you said and it still won't work. So now we know it isnt the UAC. What do you recommend I do next? Nothing seems to get rid of this thing.

I would like to see the second opinion. Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols.shtml

Scroll to the bottom of the page, and click Start Scan.

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

These are the results I got running the antivirus you told me:

Scanning Report
Sunday, December 28, 2008 20:29:41 - 20:47:57
Computer name: MICHAEL-PC
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 7 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Statcounter (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 14301
System: 2834
Not scanned: 18
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 7
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{304836D8-ABF3-44B7-8823-E21C1A6EDB4F}.BIN
C:\Avenger\backup.zip\avenger/avenger.txt

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2008-12-27
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure AVP: 7.0.171, 2008-12-28
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

I don't know what's causing it, but it's not a rustock rootkit.
I'll see what my colleagues say.

Thanks, please let me know as soon as possible. Could it be that its taken over the system registry and therefore cannot be detected?

Haha.
No, the bad guys aren't that smart just yet.

Have your colleagues been able to figure out how to solve my problem? Thanks.

Can you uninstall your AV and then re-install it? See if that works.

I tried that, didn't work. any other ideas?

it seems like im gonna have to throw away this computer if dell cant fix it because nothing seems to be able to get rid of this trojan.

I wouldn't say it's a trojan, we haven't found anything.
And throwing it isn't an option, it's not broken. A simpel format may fix things.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.