I think my computer is infected (Resolved)

almac01 · July 2009

Hi,
I am running Vista Ultimate and recently I have been getting some "strange" behaviour.
I am having trouble installing some programs like Skype. This loads but ends with an error saying the some files are missing.
I have tried checking with adaware and cleaning cookies.
My internet time seems to be running up too.
Can someone help, please???

:confused2

Katana · July 2009

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

almac01 · July 2009

Part 2a
This has run to over 900,000 characters so this will be a lot of files.
Get back to me if this is not the right way.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-05 13:12:41
Windows 6.0.6002 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0x9D4F5B94]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0x9D4F5516]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0x9D4F5586]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0x9D4F55DA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0x9D4F5640]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0x9D4F572E]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0x9D4F57BA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0x9D4F584A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0x9D4F5980]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0x9D4F59D4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0x9D4F5A3A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0x9D4F5A8C]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0x9D4F5AE4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0x9D4F5B3C]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0x9D4F5BFA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0x9D4F5C58]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0x9D4F5CB6]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0x9D4F5D74]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0x9D4F5D08]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0x9D4F5DDE]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0x9D4F5E30]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0x9D4F5E90]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0x9D4F5EF4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0x9D4F58EC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0x9D4F56BE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 131 820BD874 4 Bytes [94, 5B, 4F, 9D] {XCHG ESP, EAX; POP EBX; DEC EDI; POPF }
.text ntkrnlpa.exe!KeSetEvent + 13D 820BD880 4 Bytes [16, 55, 4F, 9D] {PUSH SS; PUSH EBP; DEC EDI; POPF }
.text ntkrnlpa.exe!KeSetEvent + 191 820BD8D4 4 Bytes [86, 55, 4F, 9D] {XCHG [EBP+0x4f], DL; POPF }
.text ntkrnlpa.exe!KeSetEvent + 1C1 820BD904 4 Bytes [DA, 55, 4F, 9D] {FICOM DWORD [EBP+0x4f]; POPF }
.text ntkrnlpa.exe!KeSetEvent + 1D9 820BD91C 4 Bytes [40, 56, 4F, 9D] {INC EAX; PUSH ESI; DEC EDI; POPF }
.text ...
? C:\Windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC70F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FD00F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WININET.dll!InternetOpenUrlA 769CF3D4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WININET.dll!InternetOpenUrlW 76A16DD7 6 Bytes JMP 5FC40F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD60F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD90F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A

almac01 · July 2009

Part 2b
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Windows\system32\wininit.exe[848] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[848] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Windows\system32\wininit.exe[848] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[848] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\wininit.exe[848] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\wininit.exe[848] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[848] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Windows\system32\wininit.exe[848] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[848] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Windows\system32\wininit.exe[848] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\wininit.exe[848] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\wininit.exe[848] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Windows\system32\wininit.exe[848] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Windows\system32\wininit.exe[848] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\wininit.exe[848] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Windows\system32\services.exe[896] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[896] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Windows\system32\services.exe[896] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[896] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Windows\system32\services.exe[896] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\services.exe[896] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\services.exe[896] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[896] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Windows\system32\services.exe[896] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[896] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Windows\system32\services.exe[896] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\services.exe[896] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\services.exe[896] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Windows\system32\services.exe[896] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Windows\system32\services.exe[896] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\services.exe[896] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Windows\system32\lsass.exe[912] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[912] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Windows\system32\lsass.exe[912] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[912] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Windows\system32\lsass.exe[912] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[912] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Windows\system32\lsass.exe[912] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[912] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Windows\system32\lsass.exe[912] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Windows\system32\lsass.exe[912] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Windows\system32\lsass.exe[912] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Windows\system32\lsass.exe[912] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Windows\system32\lsass.exe[912] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Windows\system32\lsass.exe[912] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[916] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A

almac01 · July 2009

Hi Katana

almac01 · July 2009

Hi Katana,
OOPS!!
I just found the button to attach files so I will try this.

Katana · July 2009

There doesn't appear to be any infection present, but let's get a couple more logs to make sure....

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

almac01 · July 2009

Katana wrote:

There doesn't appear to be any infection present, but let's get a couple more logs to make sure....

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware

and Launch Malwarebytes' Anti-Malware

then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. please copy and paste the log into your next reply

If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply

Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Hi Katana,

Thanks again for your reply.
I have run the two programs as suggested.
Attached are the files.

Katana · July 2009

Step 1

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
RegNull::
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Combofix Log
Kaspersky Log
How are things running now ?

almac01 · July 2009

Katana wrote:
Step 1

Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
RegNull::
ADS::
Save this as CFScript.txt and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log

Kaspersky Log

How are things running now ?

Hi Katana,
Thing seem to be running a lot better now.
Latest scans attached.
Thanks
Alan

Katana · July 2009

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START, type RUN into the search box, then click Enter
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware isnot the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program

It includes host protection and registry protection
A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

FireFox
- With many addons available that make customization easy this is a very popular choice
- NoScript and AdBlockPlus addons are essential
Opera
- Another popular alternative
Netscape
- Another popular alternative
- Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

almac01 · July 2009

Katana wrote:

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined

Click START, type RUN into the search box, then click Enter

Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
AntiSpyware is
not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program
It includes host protection and registry protection

A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place. Each does a different job, so you can have more than one
Winpatrol
An excellent startup manager and then some !!

Notifies you if programs are added to startup

Allows delayed startup

A must have addition

SpywareBlaster 4.0
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.

SpywareGuard 2.2
SpywareGuard provides real-time protection against spyware.

Not required if you have other "realtime" antispyware or Winpatrol

ZonedOut
Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.

MVPS HOSTS
This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

For information on how to download and install, please read this tutorial by WinHelp2002.

Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox
With many addons available that make customization easy this is a very popular choice

NoScript and AdBlockPlus addons are essential

Opera
Another popular alternative

Netscape
Another popular alternative

Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page. Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware. It is a good idea to empty the Temporary Internet Files folder on a regular basis. Tracking Cookies are files that websites use to monitor which sites you visit and how often. A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted. CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
Free and very simple to use

CCleaner
Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Hello again Katana,

I ran the programs and did as you asked.
OTCleanup did its job and restarted without problems.
I will print your suggestions and work out what to do.

Thank you once again.
I really appreciate your time and efforts
Alan

I think my computer is infected (Resolved)

Comments