spm/lx trojan

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

spm/lx trojan

Post by ronk on Tue Aug 18, 2009 2:15 am

This pos hijacked my dtrs pc. Says "The System is infected" Malbytes wont open, can't start in safe mode and system restore wont open either. Any help would be greatly appreciated.

Thanks,
Ron

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Tue Aug 18, 2009 2:57 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Tue Aug 18, 2009 4:37 pm

[You must be registered and logged in to see this link.] wrote:Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Sorry, I forgot to tell you I can't get on line with her PC, nothing will open.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Tue Aug 18, 2009 7:25 pm

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dwwin.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Tue Aug 18, 2009 7:33 pm

OK got it somehow. Please advise.

Thank You!

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Tue Aug 18, 2009 8:43 pm

Hello.
Did the log get cut off? it doesn't look like a full log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Tue Aug 18, 2009 9:26 pm

Ya it must of. Sorry about that. I'll re-post it.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Tue Aug 18, 2009 10:09 pm

This is the 2nd scan. Prob not what you're looking for. Malwarebytes started up and removed everything, I'm pretty sure. Then had a blue screen fiasco. I have some global root error now. I'll post it on another thread. I'm sure you can't wait! Smile


Scan saved at 5:59:59 PM, on 8/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKUS\S-1-5-21-1960408961-1563985344-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1960408961-1563985344-839522115-500\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1960408961-1563985344-839522115-500\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.] (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A0C321EA-07EE-4DA3-96CB-6F6516FB4A43} (EnClickLoan Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CBF95A06-D408-46E3-8077-37E5B098EB84} (EnClickLoanWF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B0C678D-8456-48FB-AEAC-C9B708057456}: NameServer = 192.168.2.2
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7542 bytes

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Wed Aug 19, 2009 12:14 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 12:25 am

Viewpoint media player was the only one there. I removed it and I'm re-booting. I'll let you know and thanks again!!!!

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 12:36 am

Here's my new friend.

DLL globalroot\systemroot\system32\SKYNETupiawnnm.dll is not a valid window image. Please check against installation diskette.

Should I start another thread for this puppy? It's all related to the 1st problem though. Please let me know.

Thank you,
Ron

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Origin on Wed Aug 19, 2009 12:38 am

Nope this one will do, you have a Rootkit, lets kill it now:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 1:09 am

Mac security center wont open. over 10mins now!! Please advise.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 1:29 am

I tried running Combo-Fix without disabling Mac and it wouldn't open. I'll keep trying.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 1:50 am

OK Mac finally disabled and Combo wont open/run. Not my day.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Metalmusk on Wed Aug 19, 2009 1:55 am

Hi Ronk, you are saying that Combo is not running. Please let the admin to know what happen when you try combo.. Is it flashes and goes off ?? or is it showing some error ?? or any ??

If we say it in detail, it would be usefull for the Admin to guide us fast Smile

Metalmusk
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-06-21
OS OS : XP
Points Points : 27910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 2:15 am

It's not doing anything. I followed the instructions and it just wont start. I had a problem disabling Mcafee but finally did it after over 1/2 hr. That wouldn't open either.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 19, 2009 3:10 am

Oh well, tomorrow's another day.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Wed Aug 19, 2009 7:39 pm

Rootkit possibly blocking it.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Aug 21, 2009 5:49 pm

GMER will not open. I tried re-naming it and the pc will not boot in safe mode. Any other options?

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Origin on Fri Aug 21, 2009 5:53 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Aug 21, 2009 10:18 pm

GMER opened after a couple of hrs while trying to run sysprot. I'll post the scan when it's done. Thanks again!

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Aug 21, 2009 10:43 pm

scan is too big. how do I post it?

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Origin on Sat Aug 22, 2009 5:11 pm

Please split the log into two posts or more if required.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:01 pm

GMER 1.0.15.15077 [nj6mjfk4.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-21 18:27:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82F894A0 ZwDeviceIoControlFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEFB949AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEFB94A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEFB94958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEFB9496C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEFB94A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEFB94A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEFB94AF4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEFB94AD9]
Code 82B5D098 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEFB949EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEFB94B1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEFB94A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEFB94930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEFB94944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEFB949BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEFB94B5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEFB94AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEFB94AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEFB94A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEFB94B46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEFB94B32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEFB94996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEFB94982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEFB94A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEFB94A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEFB94B08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEFB94A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEFB949D4]
Code 82DF09D6 IofCallDriver
Code 82DBEB26 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82DF09DB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82DBEB2B
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EFB949D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EFB94A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EFB94AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EFB949AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EFB94986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EFB94A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EFB94B5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP EFB94AF8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EFB94934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EFB949C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EFB94A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EFB94A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EFB949EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82B5D09C
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EFB94970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EFB94A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EFB94948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EFB94B22 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EFB94ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EFB94A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EFB94A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EFB9495C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP EFB9499A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP EFB94B0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP EFB94AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP EFB94A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP EFB94B36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP EFB94B4A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:03 pm

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F68
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F79
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F3C
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F4D
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00B0
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F17
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00CB
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0078
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C009F
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0084
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0073
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0062
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00410067
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00410FD2
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410FE3
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0041000C
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00410038
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0041001D
.text C:\WINDOWS\system32\svchost.exe[592] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700AE
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F0B
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0007009D
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA4
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0093
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0082
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED005B
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0F9E
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0FC3
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED0F83
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED00C9
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0F57
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED00FA
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetProcAddress

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:04 pm

.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0040
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED00B8
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED002F
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED0F72
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0069
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0058
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC0047
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0027
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0F9C
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0016
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0FC1
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FD2
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F4B
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F5C
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0F79
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F8A
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FB6
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0093
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0082
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00D0
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E00BF
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F1C
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0F9B
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0065
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0022
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00AE
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0025
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006D0051
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0036
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0058
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FCD
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0022
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C003D
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AB0082
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AB0F8D
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AB0FA8
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AB005B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AB002F
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AB00C1
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AB00A4
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AB0F43
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AB00D2
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AB00F7
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AB0040
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AB0093
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AB0FC3
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AB0FDE
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AB0F54
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AA0F9E
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AA005B
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A9006C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A90047
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90FE3
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:05 pm

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F9E
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60089
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60078
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6004A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F41
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F5C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600B8
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F1F
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60F04
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F83
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F30
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50039
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50014
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FDE
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F7C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50F97
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FB2
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C4002C
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FAB
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40FC6
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30000
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03520000
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03520084
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03520069
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03520058
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03520F9B
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03520FB6
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03520F43
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03520095
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 035200BA
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03520F17
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03520F06
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0352003D
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03520011
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03520F74
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03520FD1
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0352002C
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03520F32
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03510040
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03510F9E
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03510025
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0351000A
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03510FB9
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03510FEF
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03510FCA
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [71, 8B] {JNO 0xffffffffffffff8d}
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03510051
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03300FB2
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 03300047
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03300FD7
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03300000
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0330002C
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03300011
.text C:\WINDOWS\System32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 032E0FEF
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0324000A
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03240FEF
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 03240FDE
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03240FCD
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790F3A
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790F55
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790F66
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790F83
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FA8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790EF8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F09
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0079005B
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790EC2
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790076
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0079002F
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790040
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0079001E
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:06 pm

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00790EDD
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780058
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780025
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FA5
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770053
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FC8
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FE3
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770038
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0077000C
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20098
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20087
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B20076
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20051
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B20F5A
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B20F6B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B20F13
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B20F24
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B200C7
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B20FCA
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B20F88
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B20036
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B20F49
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B10FC3
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B10080
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B10014
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B10065
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B10054
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B10039
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00F8D
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B00018
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:07 pm

.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00FA8
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F70
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F8B
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F31
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F4E
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F05
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F16
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00B9
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F5F
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0094
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F94
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90051
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80F8B
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80F9C
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FC1
.text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80FE3
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F81
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F92
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0076
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC009D
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F55
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F3A
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00D3
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F1F
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F66
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00AE
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950F9E
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950FE5
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00950011
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950FB9
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0095005B
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940FB7
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940042
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00940FD2
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940027
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0094000C
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenUrlA

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:28 pm

.text C:\WINDOWS\System32\svchost.exe[3576] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002E002C
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F72
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260067
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0026004A
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F2B
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F3C
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002600B3
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0026008E
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260EFF
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F57
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F10
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0035006C
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350051
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360027
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FA6
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360016
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00CC0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00CC0FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00CC0FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00CC0FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3832] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01590000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F7C
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026004A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260098
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F50
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F10

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:29 pm

.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F2B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600BA
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0026005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F6B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026002F
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600A9
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350040
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F83
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0036006E
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360053
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360027
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360038
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 01C00000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 01C0001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 01C00036
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 01C00FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ws2_32.dll!socket 71AB4211 5 Bytes JMP 024D0000

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:31 pm

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:32 pm

IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[3528] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DD7ABB] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DF69AE] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77E37211] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DF4C66] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DEFB58] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DE6CE5] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [77E0D8EC] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [77DD7852] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [77DDEAE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [77DD6C27] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [77DD798B] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [77DD7305] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C8099C0] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C864F55] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C865C7F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C8104CC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C802213] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C809B12] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C810E27] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:32 pm

IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C801A28] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C86250D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C802446] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C80C0F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80934A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C812DF6] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C812B7E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C80AC61] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C81CB3B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C809B84] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C809AF1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C80FCCF] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C8106D7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C80ACAF] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C831EDD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [7C85AD4C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C90FF2D] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C80236B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C834D71] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C814B92] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C8024B7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C80AA6C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C80DE9E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C810800] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C801D7B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [7E41A8AD] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] [7E41A610] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [7E41A9B6] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [3D9BA776] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [3D94D508] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] [3D949088] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [3D94DEAE] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [3D95D688] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [3D954928] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [3D9408A7] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [3D94654B] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [3D9BA87E] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Aug 23, 2009 2:32 pm

IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] [71AB4C27] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] [71AB6A55] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [71AB3D10] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] [71AB2E53] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [71AB4A07] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [71AB4211] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [71AB676F] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [71AB2EE1] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] [71AB5355] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [76D6A2AA] C:\WINDOWS\System32\iphlpapi.dll (IP Helper API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [76D6A252] C:\WINDOWS\System32\iphlpapi.dll (IP Helper API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3576] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [76D6CE49] C:\WINDOWS\System32\iphlpapi.dll (IP Helper API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3988] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F84AD0

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Mup \Dfs 82F84AD0

AttachedDevice \Driver\Tcpip \Device\Ip 82F87740

Device \FileSystem\RAW \Device\RawTape 82F84AD0
Device \Driver\MPFP \Device\MPFP 82F87740

AttachedDevice \Driver\Tcpip \Device\Tcp 82F87740

Device \FileSystem\Mup \Device\Mup 82F84AD0

AttachedDevice \Driver\Tcpip \Device\Udp 82F87740
AttachedDevice \Driver\Tcpip \Device\RawIp 82F87740

Device \FileSystem\RAW \Device\RawDisk 82F84AD0
Device \FileSystem\RAW \Device\RawCdRom 82F84AD0
Device \FileSystem\Mup \Device\WinDfs\Root 82F84AD0
Device \FileSystem\Fastfat \Fat EE615D20

AttachedDevice \FileSystem\Fastfat \Fat 82F84AD0
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:2476] EE6491F0
Thread explorer.exe [3088:3108] 00B90000

---- EOF - GMER 1.0.15 ----

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Origin on Tue Aug 25, 2009 4:08 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Aug 26, 2009 6:43 pm

this will download but wont run. We'll keep trying.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Sep 11, 2009 11:45 pm

pc is still down, thanks for all your help. I'll keep trying b/c I can't afford a new one.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Origin on Sat Sep 12, 2009 5:17 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    cngaudit.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sat Sep 12, 2009 7:04 pm

got it but it wont scan. incredible!

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sat Sep 12, 2009 7:27 pm

tried to run this on my lap top and it wouldn't run. anything else?

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Sep 18, 2009 7:25 pm

back on line and systemlook will not run. Any other suggestions other than throwing it out the window? Combo fix wont run either.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Fri Sep 18, 2009 8:04 pm

Here's anoher Hijack log, hope it helps.

Scan saved at 3:44:03 PM, on 9/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\runonce.exe
C:\WINDOWS\system32\grpconv.exe
C:\32788R22FWJFW\swreg.exe
C:\32788R22FWJFW\swreg.exe
C:\32788R22FWJFW\swreg.exe

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKUS\S-1-5-21-1960408961-1563985344-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1960408961-1563985344-839522115-500\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.] (User '?')
O4 - Global Startup: McAfee Security Scan.lnk = ?
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe (file missing)

--
End of file - 6264 bytes

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sat Sep 19, 2009 12:24 pm

Finally got rid of the root kit virus with Sophos Anti-Root Kit. Spyware Dr. detected it but they wanted $30 wich I can't afford. Thank you very much for your help.

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Sat Sep 19, 2009 6:10 pm

Hello.
I want to check something.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\svchost.exe
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Sun Sep 20, 2009 12:59 pm

you want this after the fact?

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by Belahzur on Sun Sep 20, 2009 9:24 pm

Hello.
It's just a check I want, there is a lot of svchost.exe running in the process list. Usually this is normal for maybe 5 or 6 to be running, max 10. But your amount causes me to wonder.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Sep 23, 2009 5:13 pm

This is what came up along with all the names of programs that scanned it. Nothing found on all of them and no log either. I tried it twice. Am I doing something wrong?


Filename: svchost.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 23 Sep 2009 19:07:15 (CET) Permalink

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spm/lx trojan

Post by ronk on Wed Sep 23, 2009 5:15 pm

Here's the rest.

2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-21 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-22 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing 2009-09-22 Found nothing
2009-09-23 Found nothing 2009-09-23 Found nothing
2009-09-23 Found nothing

ronk
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-18
OS OS : windows xp
Points Points : 26711
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum