File details
</h4>Filename: File.exe
File size: 38400 bytes
MD5: 53edbc3ba4a2c57b18583c353d109d26
SHA1: 9cd04527e774903ec75ba2ed560b1348cdb61830
PEiD: -
______________________________QUOTEFile File.exe received on 03.22.2008 23:18:10
AhnLab-V3 2008.3.22.1 2008.03.21 -
AntiVir 7.6.0.75 2008.03.22 -
Authentium 4.93.8 2008.03.22 -
Avast 4.7.1098.0 2008.03.22 -
AVG 7.5.0.516 2008.03.22 -
BitDefender 7.2 2008.03.22 Trojan.Kobcka.DI
CAT-QuickHeal 9.50 2008.03.21 -
ClamAV 0.92.1 2008.03.22 -
DrWeb 4.44.0.09170 2008.03.22 Trojan.DownLoader.49586
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5633 2008.03.21 -
Ewido 4.0 2008.03.22 -
F-Prot 4.4.2.54 2008.03.22 -
F-Secure 6.70.13260.0 2008.03.21 -
FileAdvisor 1 2008.03.22 -
Fortinet 3.14.0.0 2008.03.22 -
Ikarus T3.1.1.20 2008.03.22 -
Kaspersky 7.0.0.125 2008.03.22 Email-Worm.Win32.Agent.ec
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.22 TrojanDropper:Win32/Cutwail.Y
NOD32v2 2967 2008.03.21 -
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.22 -
Prevx1 V2 2008.03.22 -
Rising 20.36.42.00 2008.03.21 -
Sophos 4.27.0 2008.03.22 Troj/Pushdo-Gen
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.22 Trojan.Pandex
TheHacker 6.2.92.252 2008.03.22 -
VBA32 3.12.6.3 2008.03.21 -
VirusBuster 4.3.26:9 2008.03.22 Trojan.DR.Pandex.Gen.4
Webwasher-Gateway 6.6.2 2008.03.22 -
Filename: Fki63.sys
File size: 26496 bytes
MD5: 66bb3940159574a1504bab7c0e850c2b
SHA1: ebb3e37d47bc0a84d1d045e69a829b01045880c3
PEiD: -
______________________________QUOTEFile Fki63.sys received on 03.24.2008 01:33:24
AhnLab-V3 2008.3.22.1 2008.03.21 Win-Trojan/Agent.21632.B
AntiVir 7.6.0.75 2008.03.23 TR/Dldr.Agent.lxa.6
Authentium 4.93.8 2008.03.22 -
Avast 4.7.1098.0 2008.03.23 -
AVG 7.5.0.516 2008.03.23 Downloader.Agent.ADRG
BitDefender 7.2 2008.03.24 -
CAT-QuickHeal 9.50 2008.03.21 -
ClamAV 0.92.1 2008.03.24 -
DrWeb 4.44.0.09170 2008.03.23 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5633 2008.03.21 -
Ewido 4.0 2008.03.23 -
F-Prot 4.4.2.54 2008.03.23 -
F-Secure 6.70.13260.0 2008.03.23 Trojan-Downloader.Win32.Agent.lxa
FileAdvisor 1 2008.03.24 -
Fortinet 3.14.0.0 2008.03.23 -
Ikarus T3.1.1.20 2008.03.24 Trojan-Downloader.Win32.Agent.lxa
Kaspersky 7.0.0.125 2008.03.24 Trojan-Downloader.Win32.Agent.lxa
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.24 TrojanDropper:Win32/Cutwail.Y
NOD32v2 2967 2008.03.21 probably a variant of Win32/Wigon.BA
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.23 -
Prevx1 V2 2008.03.24 -
Rising 20.36.62.00 2008.03.23 -
Sophos 4.27.0 2008.03.23 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.23 Trojan.Pandex
TheHacker 6.2.92.252 2008.03.22 -
VBA32 3.12.6.3 2008.03.21 -
VirusBuster 4.3.26:9 2008.03.23 -
Webwasher-Gateway 6.6.2 2008.03.23 Trojan.Dldr.Agent.lxa.6
Filename: WLCtrl32.dll
File size: 11776 bytes
MD5: e844168bcaff9bbe55ce7dfdbcfbd551
SHA1: 6873e246c0edf9dcd40f77c6832bd697017c1ce7
PEiD: -
<h4>QUOTEFile WLCtrl32.dll received on 03.24.2008 06:07:10 (CET)
AhnLab-V3 2008.3.22.1 2008.03.24 -
AntiVir 7.6.0.75 2008.03.23 TR/Dldr.Agent.luo.19
Authentium 4.93.8 2008.03.22 -
Avast 4.7.1098.0 2008.03.23 -
AVG 7.5.0.516 2008.03.23 Downloader.Agent.ADQQ
BitDefender 7.2 2008.03.24 Trojan.Dropper.Cutwail.B
CAT-QuickHeal 9.50 2008.03.21 -
ClamAV 0.92.1 2008.03.24 -
DrWeb 4.44.0.09170 2008.03.23 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5633 2008.03.21 -
Ewido 4.0 2008.03.23 -
F-Prot 4.4.2.54 2008.03.23 -
F-Secure 6.70.13260.0 2008.03.23 Trojan-Downloader.Win32.Agent.luo
FileAdvisor 1 2008.03.24 -
Fortinet 3.14.0.0 2008.03.24 W32/Agent.LUO!tr.dldr
Ikarus T3.1.1.20 2008.03.24 Trojan-Downloader.Win32.Agent.luo
Kaspersky 7.0.0.125 2008.03.24 Trojan-Downloader.Win32.Agent.luo
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.24 TrojanDropper:Win32/Cutwail.Y
NOD32v2 2968 2008.03.24 -
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.23 -
Prevx1 V2 2008.03.24 TROJAN.PANDEX.B
Rising 20.36.62.00 2008.03.23 -
Sophos 4.27.0 2008.03.23 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.24 Trojan.Pandex
TheHacker 6.2.92.252 2008.03.22 -
VBA32 3.12.6.3 2008.03.21 -
VirusBuster 4.3.26:9 2008.03.23 Trojan.DR.Pandex.Gen.4
Webwasher-Gateway 6.6.2 2008.03.23 Trojan.Dldr.Agent.luo.19
Visible signs
</h4>Logfile of Trend Micro HijackThis v2.0.2
....
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
<h4>
Technical details
</h4>Registry changes.
- Adds a service with a random name - 3 letters & 2 numbers.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63 "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "DeviceDesc"
Type: REG_SZ
Data: Fki63
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000 "Service"
Type: REG_SZ
Data: Fki63
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FKI63\0000\Control "ActiveService"
Type: REG_SZ
Data: Fki63
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63 "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63 "Group"
Type: REG_SZ
Data: SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63 "ImagePath"
Type: REG_SZ
Data: System32\Drivers\Fki63.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63 "Start"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63 "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_FKI63\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fki63\Security - Adds a key to the winlogon Notify packages to load the dll.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 "Asynchronous"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 "DLLName"
Type: REG_SZ
Data: WLCtrl32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 "Impersonate"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 "StartShell"
Type: REG_SZ
Data: WLEventStartShell - Loads in Safe mode.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fki63.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fki63.sys "(Default)"
Type: REG_SZ
Data: Driver
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).QUOTE%system%\WLCtrl32.dll
%system%\drivers\Fki63.sys
<h4>
Rootkit Scan before reboot
</h4><h4>QUOTEGMER 1.0.14.14181 - http://www.gmer.net
Rootkit scan 2008-03-24 00:20:08
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\System32\drivers\Fki63.sys Access is denied.
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs Fki63.sys
Device \FileSystem\Mup \Dfs Fki63.sys
Device \FileSystem\NetBIOS \Device\Netbios Fki63.sys
Device \FileSystem\MRxVPC \Device\MicrosoftVMFolderSharing Fki63.sys
Device \FileSystem\RAW \Device\RawTape Fki63.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector Fki63.sys
Device \FileSystem\Rdbss \Device\FsWrap Fki63.sys
Device \FileSystem\Srv \Device\LanmanServer Fki63.sys
Device \FileSystem\Mup \Device\Mup Fki63.sys
Device \FileSystem\RAW \Device\RawDisk Fki63.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver Fki63.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector Fki63.sys
Device \FileSystem\Npfs \Device\NamedPipe Fki63.sys
Device \FileSystem\Msfs \Device\Mailslot Fki63.sys
Device \FileSystem\RAW \Device\RawCdRom Fki63.sys
Device \FileSystem\Mup \Device\WinDfs\Root Fki63.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer Fki63.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer Fki63.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer Fki63.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer Fki63.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer Fki63.sys
Device \FileSystem\Cdfs \Cdfs Fki63.sys
---- EOF - GMER 1.0.14 ----
Notes
</h4>After a reboot, we clearly see WLCtrl32.dll loaded under the winlogon process.
Winlogon does request for internet access using the TCP/IP protocol.
An updated version is downloaded from Internet if available and installed.
The winlogon process launches an instance of svchost.exe in which several memory pages are created. The svchost process is not created under services.exe as seen below and we also notice the presence of several mutexes.
Once "patched", svchost.exe is exchanging encrypted information with 216.195.61.61
Several DNS queries are made in meanwhile and svchost is starting it's payload ... sending out spam.
Below is an exerpt of the router's log blocking the spam.
Although driver is visible in Windows Explorer, the file can't be deleted or moved.CODEMon, 2008-03-24 00:29:38 - TCP Packet - Source:192.xxx.xxx.xxx,1058 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:30:08 - TCP Packet - Source:192.xxx.xxx.xxx,1060 Destination:209.85.135.27,25 - SMTP rule match
Mon, 2008-03-24 00:30:43 - TCP Packet - Source:192.xxx.xxx.xxx,1061 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:31:16 - TCP Packet - Source:192.xxx.xxx.xxx,1062 Destination:66.111.4.74,25 - SMTP rule match
Mon, 2008-03-24 00:34:00 - TCP Packet - Source:192.xxx.xxx.xxx,1069 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:34:27 - TCP Packet - Source:192.xxx.xxx.xxx,1070 Destination:72.14.221.27,25 - SMTP rule match
Mon, 2008-03-24 00:34:53 - TCP Packet - Source:192.xxx.xxx.xxx,1071 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:40:04 - TCP Packet - Source:192.xxx.xxx.xxx,1089 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:40:25 - TCP Packet - Source:192.xxx.xxx.xxx,1090 Destination:72.14.221.27,25 - SMTP rule match
Mon, 2008-03-24 00:40:46 - TCP Packet - Source:192.xxx.xxx.xxx,1091 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:41:07 - TCP Packet - Source:192.xxx.xxx.xxx,1092 Destination:66.111.4.73,25 - SMTP rule match
Mon, 2008-03-24 00:41:28 - TCP Packet - Source:192.xxx.xxx.xxx,1093 Destination:216.157.145.27,25 - SMTP rule match
Mon, 2008-03-24 00:44:00 - TCP Packet - Source:192.xxx.xxx.xxx,1099 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:44:21 - TCP Packet - Source:192.xxx.xxx.xxx,1100 Destination:72.14.221.114,25 - SMTP rule match
Mon, 2008-03-24 00:44:42 - TCP Packet - Source:192.xxx.xxx.xxx,1101 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:45:03 - TCP Packet - Source:192.xxx.xxx.xxx,1102 Destination:66.111.4.72,25 - SMTP rule match
Mon, 2008-03-24 00:45:24 - TCP Packet - Source:192.xxx.xxx.xxx,1103 Destination:216.157.145.27,25 - SMTP rule match
Mon, 2008-03-24 00:47:55 - TCP Packet - Source:192.xxx.xxx.xxx,1109 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:48:16 - TCP Packet - Source:192.xxx.xxx.xxx,1110 Destination:72.14.221.114,25 - SMTP rule match
Mon, 2008-03-24 00:48:37 - TCP Packet - Source:192.xxx.xxx.xxx,1111 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:48:58 - TCP Packet - Source:192.xxx.xxx.xxx,1112 Destination:66.111.4.70,25 - SMTP rule match
Mon, 2008-03-24 00:49:19 - TCP Packet - Source:192.xxx.xxx.xxx,1113 Destination:216.157.145.27,25 - SMTP rule match
Mon, 2008-03-24 00:51:50 - TCP Packet - Source:192.xxx.xxx.xxx,1119 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:52:11 - TCP Packet - Source:192.xxx.xxx.xxx,1120 Destination:209.85.135.114,25 - SMTP rule match
Mon, 2008-03-24 00:52:32 - TCP Packet - Source:192.xxx.xxx.xxx,1121 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:52:53 - TCP Packet - Source:192.xxx.xxx.xxx,1122 Destination:66.111.4.74,25 - SMTP rule match
Mon, 2008-03-24 00:53:14 - TCP Packet - Source:192.xxx.xxx.xxx,1123 Destination:216.157.145.27,25 - SMTP rule match
Mon, 2008-03-24 00:55:44 - TCP Packet - Source:192.xxx.xxx.xxx,1129 Destination:194.67.23.20,25 - SMTP rule match
Mon, 2008-03-24 00:56:05 - TCP Packet - Source:192.xxx.xxx.xxx,1130 Destination:209.85.135.114,25 - SMTP rule match
Mon, 2008-03-24 00:56:27 - TCP Packet - Source:192.xxx.xxx.xxx,1131 Destination:64.233.183.27,25 - SMTP rule match
Mon, 2008-03-24 00:56:47 - TCP Packet - Source:192.xxx.xxx.xxx,1132 Destination:66.111.4.74,25 - SMTP rule match
Mon, 2008-03-24 00:57:08 - TCP Packet - Source:192.xxx.xxx.xxx,1133 Destination:216.157.145.27,25 - SMTP rule match
Mon, 2008-03-24 00:59:39 - TCP Packet - Source:192.xxx.xxx.xxx,1139 Destination:194.67.23.20,25 - SMTP rule match
<h4>
New Rootkit Scan
</h4>QUOTEGMER 1.0.14.14181 - http://www.gmer.net
Rootkit scan 2008-03-24 00:53:02
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.14 ----
? Fki63.sys Access is denied. !
---- User code sections - GMER 1.0.14 ----
? C:\WINDOWS\System32\svchost.exe[1156] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: gdiplus.dll
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DD6BF0] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DD7883] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DD761B] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DDEBE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [76F36BFB] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [76F34FA2] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [76F25B6B] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [77F1D73B] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [7C809CAD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [7C80FF2D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C80FE2F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C826B99] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C810DA6] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C810F9F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C802367] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C809AA2] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C812C8D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C8114AB] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C80CCA9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C802442] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C81CACB] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C838403] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C809737] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C809B77] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C81082F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C80EB3F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C80EC1B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C81EE79] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C809A39] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C809EB3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C80B929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C8092AC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C812929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [7C9105D4] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C9179FD] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C91043D] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C809F29] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C802530] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C8024A7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C810D34] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C8394AE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C910331] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C80220F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [7CA0FE44] C:\WINDOWS\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [77F7AACC] C:\WINDOWS\system32\SHLWAPI.dll (Shell Light-weight Utility Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [77F77848] C:\WINDOWS\system32\SHLWAPI.dll (Shell Light-weight Utility Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [77F6819F] C:\WINDOWS\system32\SHLWAPI.dll (Shell Light-weight Utility Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] [77D48697] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [77D4A2DE] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [77D6EED5] C:\WINDOWS\system32\USER32.dll (Windows XP USER API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [71AB9639] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [71AB2C69] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [71AB3EA1] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] [71AB951E] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] [71AB2D0F] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] [71AB428A] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [71AB3B91] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] [71AB406A] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [71AB664D] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [71AB46C9] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [71AB3F41] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [71AB4FD4] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] [71AB615A] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [4EC8098E] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [4EC86D0B] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [4EC91032] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs Fki63.sys
Device \FileSystem\Fastfat \FatCdrom Fki63.sys
Device \FileSystem\RAW \Device\RawTape Fki63.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector Fki63.sys
Device \FileSystem\RAW \Device\RawDisk Fki63.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver Fki63.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector Fki63.sys
Device \FileSystem\RAW \Device\RawCdRom Fki63.sys
Device \FileSystem\Fastfat \Fat Fki63.sys
Device \FileSystem\Cdfs \Cdfs Fki63.sys
---- EOF - GMER 1.0.14 ----