Volatility 2.0 VM with SpyEye infection (c:\usxxxxxxxx.exe\usxxxxxxxx.exe) Mike Lambert, 8 May 2012, dragonforen@hotmail.com YARA is not installed, see http://code.google.com/p/yara-project/ distorm3 is not installed, see http://code.google.com/p/distorm/ Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86) AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (C:\mem\120503\vol\120503b.w32) PAE type : PAE DTB : 0x319000 KDBG : 0x80545be0L KPCR : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2012-05-03 22:48:00 Image local date and time : 2012-05-03 22:48:00 Number of Processors : 1 Image Type : Service Pack 3 PSLIST YARA is not installed, see http://code.google.com/p/yara-project/ distorm3 is not installed, see http://code.google.com/p/distorm/ Offset(V) Name PID PPID Thds Hnds Time ---------- -------------------- ------ ------ ------ ------ ------------------- 0x825c8830 System 4 0 58 271 1970-01-01 00:00:00 0x824540f0 smss.exe 540 4 3 19 2012-05-03 22:34:14 0x82080da0 csrss.exe 612 540 12 483 2012-05-03 22:34:17 0x824e43b8 winlogon.exe 636 540 20 518 2012-05-03 22:34:17 0x82309020 services.exe 680 636 15 285 2012-05-03 22:34:18 0x822cbda0 lsass.exe 692 636 22 359 2012-05-03 22:34:18 0x822b1550 vmacthlp.exe 852 680 2 26 2012-05-03 22:34:19 0x82453b08 svchost.exe 864 680 18 202 2012-05-03 22:34:20 0x821f62a0 svchost.exe 944 680 12 279 2012-05-03 22:34:20 0x82388b10 svchost.exe 1080 680 78 1397 2012-05-03 22:34:21 0x824c0518 svchost.exe 1124 680 8 86 2012-05-03 22:34:22 0x822a8da0 svchost.exe 1280 680 12 165 2012-05-03 22:34:22 0x822fcb28 spoolsv.exe 1384 680 14 149 2012-05-03 22:34:24 0x82438020 svchost.exe 1520 680 6 109 2012-05-03 22:34:42 0x823c26f0 PortReporter.ex 1648 680 3 42 2012-05-03 22:34:44 0x822b87e8 vmtoolsd.exe 1964 680 5 284 2012-05-03 22:34:54 0x8217fb28 searchindexer.e 148 680 21 781 2012-05-03 22:34:54 0x8239f980 explorer.exe 408 296 27 640 2012-05-03 22:34:55 0x82300da0 VMUpgradeHelper 484 680 5 115 2012-05-03 22:34:56 0x822b2c90 wscntfy.exe 876 1080 2 38 2012-05-03 22:34:57 0x82323978 VMwareTray.exe 1332 408 2 59 2012-05-03 22:34:59 0x8246c2e0 VMwareUser.exe 1304 408 8 171 2012-05-03 22:34:59 0x81fa1658 SpyProtector.ex 1460 408 2 51 2012-05-03 22:34:59 0x82312da0 ctfmon.exe 1572 408 2 80 2012-05-03 22:35:00 0x82466658 ShareWatch.exe 1668 408 3 50 2012-05-03 22:35:02 0x823cc650 TPAutoConnSvc.e 1844 680 6 100 2012-05-03 22:35:09 0x8232c6b8 alg.exe 2192 680 7 105 2012-05-03 22:35:10 0x82184a78 TPAutoConnect.e 2552 1844 2 83 2012-05-03 22:35:12 0x820437e8 wuauclt.exe 3672 1080 5 135 2012-05-03 22:36:05 0x820255e8 cports.exe 3860 408 2 63 2012-05-03 22:36:29 0x82041b20 procexp.exe 3948 408 5 258 2012-05-03 22:37:19 0x8208b650 cmd.exe 4084 408 2 35 2012-05-03 22:38:07 0x8251d9a0 wmiprvse.exe 2456 864 8 139 2012-05-03 22:43:23 0x82243020 usxxxxxxxx.exe 124 408 0 ------ 2012-05-03 22:46:58 0x8204e020 win32dd.exe 2892 4084 2 25 2012-05-03 22:48:00 PSSCAN YARA is not installed, see http://code.google.com/p/yara-project/ distorm3 is not installed, see http://code.google.com/p/distorm/ Offset Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------ ------------------------ 0x01fa1658 SpyProtector.ex 1460 408 0x097983a0 2012-05-03 22:34:59 0x020255e8 cports.exe 3860 408 0x09798420 2012-05-03 22:36:29 0x02041b20 procexp.exe 3948 408 0x09798280 2012-05-03 22:37:19 0x020437e8 wuauclt.exe 3672 1080 0x097982a0 2012-05-03 22:36:05 0x0204e020 win32dd.exe 2892 4084 0x09798440 2012-05-03 22:48:00 0x02080da0 csrss.exe 612 540 0x09798040 2012-05-03 22:34:17 0x0208b650 cmd.exe 4084 408 0x097981e0 2012-05-03 22:38:07 0x0217fb28 searchindexer.e 148 680 0x09798240 2012-05-03 22:34:54 0x02184a78 TPAutoConnect.e 2552 1844 0x09798260 2012-05-03 22:35:12 0x021f62a0 svchost.exe 944 680 0x09798100 2012-05-03 22:34:20 0x02243020 usxxxxxxxx.exe 124 408 0x09798120 2012-05-03 22:46:58 2012-05-03 22:46:59 0x022a8da0 svchost.exe 1280 680 0x09798180 2012-05-03 22:34:22 0x022b1550 vmacthlp.exe 852 680 0x097980c0 2012-05-03 22:34:19 0x022b2c90 wscntfy.exe 876 1080 0x09798340 2012-05-03 22:34:57 0x022b87e8 vmtoolsd.exe 1964 680 0x09798220 2012-05-03 22:34:54 0x022cbda0 lsass.exe 692 636 0x097980a0 2012-05-03 22:34:18 0x022fcb28 spoolsv.exe 1384 680 0x097981a0 2012-05-03 22:34:24 0x02300da0 VMUpgradeHelper 484 680 0x09798300 2012-05-03 22:34:56 0x02309020 services.exe 680 636 0x09798080 2012-05-03 22:34:18 0x02312da0 ctfmon.exe 1572 408 0x097983c0 2012-05-03 22:35:00 0x02323978 VMwareTray.exe 1332 408 0x09798360 2012-05-03 22:34:59 0x0232c6b8 alg.exe 2192 680 0x09798400 2012-05-03 22:35:10 0x02388b10 svchost.exe 1080 680 0x09798140 2012-05-03 22:34:21 0x0239f980 explorer.exe 408 296 0x097982e0 2012-05-03 22:34:55 0x023c26f0 PortReporter.ex 1648 680 0x09798200 2012-05-03 22:34:44 0x023cc650 TPAutoConnSvc.e 1844 680 0x097982c0 2012-05-03 22:35:09 0x02438020 svchost.exe 1520 680 0x097981c0 2012-05-03 22:34:42 0x02453b08 svchost.exe 864 680 0x097980e0 2012-05-03 22:34:20 0x024540f0 smss.exe 540 4 0x09798020 2012-05-03 22:34:14 0x02466658 ShareWatch.exe 1668 408 0x097983e0 2012-05-03 22:35:02 0x0246c2e0 VMwareUser.exe 1304 408 0x09798380 2012-05-03 22:34:59 0x024c0518 svchost.exe 1124 680 0x09798160 2012-05-03 22:34:22 0x024e43b8 winlogon.exe 636 540 0x09798060 2012-05-03 22:34:17 0x0251d9a0 wmiprvse.exe 2456 864 0x09798460 2012-05-03 22:43:23 0x025c8830 System 4 0 0x00319000 PSXVIEW YARA is not installed, see http://code.google.com/p/yara-project/ distorm3 is not installed, see http://code.google.com/p/distorm/ Offset Name Pid pslist psscan thrdproc pspcid csr_hnds csr_list 0x822a8da0L svchost.exe 1280 1 1 1 1 1 1 0x825c8830L System 4 1 1 1 1 0 0 0x822b2c90L wscntfy.exe 876 1 1 1 1 1 1 0x8232c6b8L alg.exe 2192 1 1 1 1 1 1 0x8239f980L explorer.exe 408 1 1 1 1 1 1 0x8217fb28L searchindexer.e 148 1 1 1 1 1 1 0x8251d9a0L wmiprvse.exe 2456 1 1 1 1 1 1 0x82466658L ShareWatch.exe 1668 1 1 1 1 1 1 0x824540f0L smss.exe 540 1 1 1 1 0 0 0x82438020L svchost.exe 1520 1 1 1 1 1 1 0x82312da0L ctfmon.exe 1572 1 1 1 1 1 1 0x82309020L services.exe 680 1 1 1 1 1 1 0x822b87e8L vmtoolsd.exe 1964 1 1 1 1 1 1 0x821f62a0L svchost.exe 944 1 1 1 1 1 1 0x822cbda0L lsass.exe 692 1 1 1 1 1 1 0x82323978L VMwareTray.exe 1332 1 1 1 1 1 1 0x82388b10L svchost.exe 1080 1 1 1 1 1 1 0x81fa1658L SpyProtector.ex 1460 1 1 1 1 1 1 0x8204e020L win32dd.exe 2892 1 1 1 1 1 1 0x822b1550L vmacthlp.exe 852 1 1 1 1 1 1 0x823cc650L TPAutoConnSvc.e 1844 1 1 1 1 1 1 0x820437e8L wuauclt.exe 3672 1 1 1 1 1 1 0x82300da0L VMUpgradeHelper 484 1 1 1 1 1 1 0x82453b08L svchost.exe 864 1 1 1 1 1 1 0x824c0518L svchost.exe 1124 1 1 1 1 1 1 0x82080da0L csrss.exe 612 1 1 1 1 0 0 0x822fcb28L spoolsv.exe 1384 1 1 1 1 1 1 0x824e43b8L winlogon.exe 636 1 1 1 1 1 1 0x82041b20L procexp.exe 3948 1 1 1 1 1 1 0x823c26f0L PortReporter.ex 1648 1 1 1 1 1 1 0x8208b650L cmd.exe 4084 1 1 1 1 1 1 0x82184a78L TPAutoConnect.e 2552 1 1 1 1 1 1 0x820255e8L cports.exe 3860 1 1 1 1 1 1 0x82243020L usxxxxxxxx.exe 124 1 0 0 1 0 0 0x8246c2e0L VMwareUser.exe 1304 1 1 1 1 1 1