Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: Pop up windows. Directs to "Spyware-Secure"

  1. 2007-08-22, 10:11 #11
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Well.. the logs look clear. Do you still get popups? If yes do they appear randomly or when surfing on some specific sites?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  2. 2007-08-24, 09:47 #12
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    It looks ok.

    No pop ups for some time now...

    just one question.. I turned on TeaTimer again, and it started asking me if I want to keep some changes to the registry.. I gather those are the changes that were made when we deleted the malware stuff, and it just compares the active registry with the last copy that it had while infected, right? I allowed the change that said "secure systems/value deleted". I hope i didn't turn the pop ups on again, did I?

    Thank for all your help!!!
  3. 2007-08-25, 02:18 #13
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Well, you can post fresh hjt log and then we'll check if popups are still gone
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  4. 2007-08-28, 14:23 #14
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    i haven't seen any pop ups lately... it should be ok... thought i see in the HJT log the "spyware-secure" thing... here is the log

    Logfile of HijackThis v1.99.1
    Scan saved at 3:24:13 μμ, on 28/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\NCLAUNCH.EXe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Folding@Home\winFAH.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Folding@Home\FahCore_78.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Folding@Home 5.03.lnk = ?
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Reg.lnk = ?
    O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  5. 2007-08-28, 14:33 #15
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    i checked the path for that "spyware-secure" thing (C\Program Files\Spyware-Secure\Spyware-Secure-trial.exe) and it doesn' exist.

    Maybe it's me with the TeaTimer thing I did.... And it's back in the registry but it points to nowhere...

    I also made a search for the file and I only found some zip files in the Spybot recovery folder.
  6. 2007-08-28, 21:09 #16
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Okay. Let's disable TeaTimer temporarily again


    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu
      select
      Advanced Mode
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck
      Resident TeaTimer
       and OK any prompts.
    • Restart your computer



    Then check & fix these with hjt:
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe


    Reboot and post a fresh hjt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  7. 2007-09-05, 08:50 #17
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    pop ups are back... and a new symptom now. I keep receiving "mail delivery return" e-mails in my outlook inbox for addresses that i never tried sending any e-mail to... one of them said something about a virus being detected in an attachment.

    here is the body of that mail:

    Hi. This is the qmail-send program at mx135.newtthk.com.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <sales@gammaelectronics.com.hk>:
    The users mailfolder is over the allowed quota (size).

    --- Below this line is a copy of the message.

    Return-Path: <info@kfghellas.com>
    Received: (qmail 18181 invoked from network); 31 Aug 2007 09:41:02 -0000
    Received: from avas.wharftthk.com (HELO mirapoint.wharftthk.com) ([202.130.97.138])
    (envelope-sender <info@kfghellas.com>)
    by mx135.newtthk.com (qmail-ldap-1.03) with SMTP
    for <sales@gammaelectronics.com.hk>; 31 Aug 2007 09:41:02 -0000
    Received: from gammaelectronics.com.hk (nakosae.static.otenet.gr [62.103.25.42])
    by mirapoint.wharftthk.com (MOS 3.7.3a-GA)
    with ESMTP id BDL55391;
    Fri, 31 Aug 2007 17:40:56 +0800 (HKT)
    Message-Id: <200708310940.BDL55391@mirapoint.wharftthk.com>
    From: info@kfghellas.com
    To: sales@gammaelectronics.com.hk
    Subject: Mail Delivery (failure sales@gammaelectronics.com.hk)
    Date: Fri, 31 Aug 2007 12:39:58 +0300
    MIME-Version: 1.0
    X-Priority: 3
    X-MSMail-Priority: Normal
    Content-Type: multipart/mixed; boundary="MIRAPOINT_PART1_46d7e22e"
    X-Mirapoint-Virus: VIRUSDELETED;
    host=mirapoint.wharftthk.com;
    attachment=[2.1.2];
    virus=Mal/Iframe-E
    X-Mirapoint-Virus: VIRUSDELETED;
    host=mirapoint.wharftthk.com;
    attachment=[2.2];
    virus=W32/Netsky-P
    X-Junkmail-Status: score=35/50, host=mirapoint.wharftthk.com
    X-Junkmail-SD-Raw: score=suspect(0),
    refid=str=0001.0A090202.46D7E22E.0036,ss=2,fgs=0,
    ip=62.103.25.42,
    so=2005-12-15 23:46:19,
    dmn=5.3.14/2007-05-31

    This is a multi-part message in MIME format.

    --MIRAPOINT_PART1_46d7e22e
    Content-Type: text/plain; charset=UTF-8
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    --MIRAPOINT_PART1_46d7e22e
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"

    ------=_NextPart_000_001B_01C0CA80.6B015D10
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_001C_01C0CA80.6B015D10"

    ------=_NextPart_001_001C_01C0CA80.6B015D10
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    ------=_NextPart_001_001C_01C0CA80.6B015D10
    Content-Type: text/plain

    VIRUS WARNING Message (from mirapoint.wharftthk.com)

    The virus Mal/Iframe-E was detected in email attachment [2.1.2] . The infected attachment has been deleted.

    ------=_NextPart_001_001C_01C0CA80.6B015D10--

    ------=_NextPart_000_001B_01C0CA80.6B015D10
    Content-Type: text/plain

    VIRUS WARNING Message (from mirapoint.wharftthk.com)

    The virus W32/Netsky-P was detected in email attachment [2.2] message.scr. The infected attachment has been deleted.

    ------=_NextPart_000_001B_01C0CA80.6B015D10--

    --MIRAPOINT_PART1_46d7e22e--


    as for the HJT log, here it is.

    Logfile of HijackThis v1.99.1
    Scan saved at 09:44, on 2007-09-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\NCLAUNCH.EXe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Folding@Home\winFAH.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Folding@Home\FahCore_80.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - Startup: Folding@Home 5.03.lnk = ?
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Reg.lnk = ?
    O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  8. 2007-09-05, 20:50 #18
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Download GMER and save it your desktop:
    • Extract it to your desktop and double-click GMER.exe
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.


    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  9. 2007-09-17, 08:54 #19
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    Hi Blade81.

    Sorry for the delay...

    here is the GMER log part1:

    GMER 1.0.13.12551 - http://www.gmer.net
    Rootkit scan 2007-09-17 09:53:08
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.13 ----

    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

    ---- User code sections - GMER 1.0.13 ----

    .text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00CD200E
    .text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00CD1DAF
    .text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00CD1CF2
    .text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00CD191B
    .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00E1200E
    .text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00E11DAF
    .text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00E11CF2
    .text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00E1191B
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 0070200E
    .text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00701DAF
    .text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00701CF2
    .text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 0070191B
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 01D7200E
    .text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 01D71DAF
    .text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 01D71CF2
    .text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 01D7191B
    .text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 008F200E
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 008F1DAF
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 008F1CF2
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 008F191B
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
  10. 2007-09-17, 09:00 #20
    alobarn
    alobarn is offline
    Member
    Join Date
    Apr 2007
    Posts
    31

    Default

    GMER log part 2:

    .text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00F1200E
    .text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00F11DAF
    .text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00F11CF2
    .text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00F1191B
    .text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!send 719D428A 5 Bytes JMP 100030E6
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!WSARecv 719D4318 5 Bytes JMP 100032CC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!closesocket 719D9639 5 Bytes JMP 100035BC
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules