View Full Version : Smitfraud-C.Toolbar888
liverdrop
2007-06-06, 16:47
Here's my Jijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 9:28:53 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\system32\ipmon.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\TEMP\1814437.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\wvututq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B517B153-04DE-4143-8397-8902D56F8E42} - C:\WINDOWS\system32\ufwmrcpp.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\ilwjooyu.dll
O2 - BHO: (no name) - {EE725AE8-4F91-4F2F-BF4C-9E376C2464C7} - C:\WINDOWS\system32\ssttq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [j1291532] rundll32 C:\WINDOWS\system32\j1291532.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\oxvxvyhb.dll",realset
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\1814437.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\§?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s§?stem\n§àpdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\SYSTEM32\winmyy32.dll
O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
I have tried the onlin scanner, it froze halfway through an had to shut off my IE. Then i tried safe mode, it just gave me a black screen with safemode written on the bottom corner and nothing else. So I scanned the computer a few times in normal mode with spybot, there were a few items related to the smitfraud that would not go away. Any help would be appreciated! Thanks much.
liverdrop
2007-06-06, 22:16
I am very very sorry about this second post that I am making, but I am sort of in a very bad situation here and I need help pretty badly. I have read the "read before posting" thread but this is really urgent. I am leaving for vacation in 2 days. This is the only computer at home but my parents do not know anything about computers so I have to fix this before I leave.
Last night I downloaded a keygen program for mathtype and got the computer infected. I scanned the computer with Adaware and Spybot and attempted to remove everything on there, but a few things including Smittfraud just keep coming back. This morning I made a post on the forum, but after hours of waiting I have still not received replies while other people posting with the same topic received help within a few min. This may seem impatient or selfish of me, I understand the volunteers here are very busy but I'm starting to worry that maybe I am being ignored or maybe you guys didn't know how to fix my problem.
Again, I am very sorry for this second post and thank you for your patience.
I hope my computer isnt dying too quickly for it to be fixed. heres the newest hijacks log hope it helps. Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 12:06:32 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\system32\ipmon.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\scanner.exe.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\455781.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\wvututq.dll (file missing)
O2 - BHO: (no name) - {274B5F83-135E-463C-9B23-44B37B4A0A70} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\mljifcd.dll
O2 - BHO: (no name) - {8EB187F2-CD52-4AC3-ABF3-5AC3058731EC} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\fhpvybtb.dll
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B517B153-04DE-4143-8397-8902D56F8E42} - C:\WINDOWS\system32\ufwmrcpp.dll (file missing)
O2 - BHO: (no name) - {FDA95400-4057-4D81-8C68-D377F899FAE7} - C:\WINDOWS\system32\jkklj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [j1291532] rundll32 C:\WINDOWS\system32\j1291532.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\oxvxvyhb.dll",realset
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\§?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s§?stem\n§àpdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll
O20 - Winlogon Notify: mljifcd - C:\WINDOWS\SYSTEM32\mljifcd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\SYSTEM32\winmyy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi there.
I understand the volunteers here are very busy but I'm starting to worry that maybe I am being ignored or maybe you guys didn't know how to fix my problem.
I see you started a topic yesterday. By bumping it, and also starting a second thread, assistance can be delayed as noted in our sticky topic. :sad:
This morning I made a post on the forum, but after hours of waiting I have still not received replies while other people posting with the same topic received help within a few min.
The topic may sound the same, however each computer is different and your symptoms may only appear to be similar.
I will ask a helper to take a look as soon as able.
Hello liverdrop and welcome to the Forums :)
You have a nice malware collection there....
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
liverdrop
2007-06-08, 01:16
SDFix: Version 1.87
Run by Owner - 06/07/2007 Thu - 14:39:18.75
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Service xpdx - Deleted after Reboot
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\539596~1 - Deleted
C:\WINDOWS\Temp\win17.tmp.exe - Deleted
C:\WINDOWS\Temp\win28.tmp.exe - Deleted
C:\WINDOWS\Temp\win2C.tmp.exe - Deleted
C:\WINDOWS\Temp\win31.tmp.exe - Deleted
C:\WINDOWS\Temp\win33.tmp.exe - Deleted
C:\WINDOWS\Temp\win3E.tmp.exe - Deleted
C:\WINDOWS\Temp\win3F.tmp.exe - Deleted
C:\WINDOWS\Temp\win42.tmp.exe - Deleted
C:\WINDOWS\Temp\win4B.tmp.exe - Deleted
C:\WINDOWS\Temp\win4FD.tmp.exe - Deleted
C:\WINDOWS\Temp\win4FF.tmp.exe - Deleted
C:\WINDOWS\Temp\win501.tmp.exe - Deleted
C:\WINDOWS\Temp\win503.tmp.exe - Deleted
C:\WINDOWS\Temp\win52B.tmp.exe - Deleted
C:\WINDOWS\Temp\win532.tmp.exe - Deleted
C:\WINDOWS\Temp\win53B.tmp.exe - Deleted
C:\WINDOWS\Temp\win544.tmp.exe - Deleted
C:\WINDOWS\Temp\win549.tmp.exe - Deleted
C:\WINDOWS\Temp\win54B.tmp.exe - Deleted
C:\WINDOWS\Temp\win554.tmp.exe - Deleted
C:\WINDOWS\Temp\win56A.tmp.exe - Deleted
C:\WINDOWS\Temp\win577.tmp.exe - Deleted
C:\WINDOWS\Temp\win59A.tmp.exe - Deleted
C:\WINDOWS\Temp\win59F.tmp.exe - Deleted
C:\WINDOWS\Temp\win5AA.tmp.exe - Deleted
C:\WINDOWS\Temp\win5D1.tmp.exe - Deleted
C:\WINDOWS\Temp\win5D5.tmp.exe - Deleted
C:\WINDOWS\Temp\win5F8.tmp.exe - Deleted
C:\WINDOWS\Temp\win5F9.tmp.exe - Deleted
C:\WINDOWS\Temp\win612.tmp.exe - Deleted
C:\WINDOWS\Temp\win614.tmp.exe - Deleted
C:\WINDOWS\Temp\win6C.tmp.exe - Deleted
C:\WINDOWS\Temp\win70.tmp.exe - Deleted
C:\WINDOWS\Temp\win73.tmp.exe - Deleted
C:\WINDOWS\Temp\win7D.tmp.exe - Deleted
C:\WINDOWS\Temp\winC.tmp.exe - Deleted
C:\WINDOWS\Temp\winE.tmp.exe - Deleted
C:\WINDOWS\Temp\cjnr4r4736DD722.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4736DD725.tmp - Deleted
C:\WINDOWS\system32\mlsdf8h6784504.exe - Deleted
C:\WINDOWS\Temp\win17.tmp.exe - Deleted
C:\WINDOWS\Temp\win28.tmp.exe - Deleted
C:\WINDOWS\Temp\win2C.tmp.exe - Deleted
C:\WINDOWS\Temp\win31.tmp.exe - Deleted
C:\WINDOWS\Temp\win33.tmp.exe - Deleted
C:\WINDOWS\Temp\win3E.tmp.exe - Deleted
C:\WINDOWS\Temp\win3F.tmp.exe - Deleted
C:\WINDOWS\Temp\win42.tmp.exe - Deleted
C:\WINDOWS\Temp\win4B.tmp.exe - Deleted
C:\WINDOWS\Temp\win4FD.tmp.exe - Deleted
C:\WINDOWS\Temp\win4FF.tmp.exe - Deleted
C:\WINDOWS\Temp\win501.tmp.exe - Deleted
C:\WINDOWS\Temp\win503.tmp.exe - Deleted
C:\WINDOWS\Temp\win52B.tmp.exe - Deleted
C:\WINDOWS\Temp\win532.tmp.exe - Deleted
C:\WINDOWS\Temp\win53B.tmp.exe - Deleted
C:\WINDOWS\Temp\win544.tmp.exe - Deleted
C:\WINDOWS\Temp\win549.tmp.exe - Deleted
C:\WINDOWS\Temp\win54B.tmp.exe - Deleted
C:\WINDOWS\Temp\win554.tmp.exe - Deleted
C:\WINDOWS\Temp\win56A.tmp.exe - Deleted
C:\WINDOWS\Temp\win577.tmp.exe - Deleted
C:\WINDOWS\Temp\win59A.tmp.exe - Deleted
C:\WINDOWS\Temp\win59F.tmp.exe - Deleted
C:\WINDOWS\Temp\win5AA.tmp.exe - Deleted
C:\WINDOWS\Temp\win5D1.tmp.exe - Deleted
C:\WINDOWS\Temp\win5D5.tmp.exe - Deleted
C:\WINDOWS\Temp\win5F8.tmp.exe - Deleted
C:\WINDOWS\Temp\win5F9.tmp.exe - Deleted
C:\WINDOWS\Temp\win612.tmp.exe - Deleted
C:\WINDOWS\Temp\win614.tmp.exe - Deleted
C:\WINDOWS\Temp\win6C.tmp.exe - Deleted
C:\WINDOWS\Temp\win70.tmp.exe - Deleted
C:\WINDOWS\Temp\win73.tmp.exe - Deleted
C:\WINDOWS\Temp\win7D.tmp.exe - Deleted
C:\WINDOWS\Temp\winC.tmp.exe - Deleted
C:\WINDOWS\Temp\winE.tmp.exe - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\win5E.tmp.exe - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\win62.tmp.exe - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe - Deleted
C:\WINDOWS\system32\max1d1641.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp*.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\win*.tmp - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32"="C:\\WINDOWS\\system32:*:Enabled:lockx"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:World of Warcraft"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"="C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:aim"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\All Users\\Documents\\My Music\\Music Files\\Installers\\WoW\\BackgroundDownloader.exe"="C:\\Documents and Settings\\All Users\\Documents\\My Music\\Music Files\\Installers\\WoW\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win5C.tmp.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win5C.tmp.exe:*:Enabled:win5C.tmp"
"C:\\WINDOWS\\TEMP\\win26.tmp.exe"="C:\\WINDOWS\\TEMP\\win26.tmp.exe:*:Enabled:win26.tmp"
"C:\\WINDOWS\\TEMP\\win66.tmp.exe"="C:\\WINDOWS\\TEMP\\win66.tmp.exe:*:Enabled:win66.tmp"
"C:\\WINDOWS\\TEMP\\win525.tmp.exe"="C:\\WINDOWS\\TEMP\\win525.tmp.exe:*:Enabled:win525.tmp"
"C:\\WINDOWS\\TEMP\\win564.tmp.exe"="C:\\WINDOWS\\TEMP\\win564.tmp.exe:*:Enabled:win564.tmp"
"C:\\WINDOWS\\TEMP\\win594.tmp.exe"="C:\\WINDOWS\\TEMP\\win594.tmp.exe:*:Enabled:win594.tmp"
"C:\\WINDOWS\\TEMP\\win5CB.tmp.exe"="C:\\WINDOWS\\TEMP\\win5CB.tmp.exe:*:Enabled:win5CB.tmp"
"C:\\WINDOWS\\TEMP\\win5EF.tmp.exe"="C:\\WINDOWS\\TEMP\\win5EF.tmp.exe:*:Enabled:win5EF.tmp"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Program Files\World of Warcraft\Readme\dbghelp.dll
C:\Program Files\World of Warcraft\Readme\DivxDecoder.dll
C:\Program Files\World of Warcraft\Readme\fmod.dll
C:\Program Files\World of Warcraft\Readme\ijl15.dll
C:\Program Files\World of Warcraft\Readme\unicows.dll
C:\WINDOWS\system32\geedc.dll
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\World of Warcraft\Readme\BNUpdate.exe
C:\Program Files\World of Warcraft\Readme\Repair.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.2.3-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.2.4-to-1.3.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.3.1.4297-to-1.4.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.4.2.4375-to-1.5.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.5.1.4449-to-1.6.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.6.0.4500-to-1.6.1-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.6.1.4544-to-1.7.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.7.0-enUS-downloader.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.7.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.8.0-enUS-downloader.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.8.0-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe
C:\Program Files\World of Warcraft\Readme\WoW-1.8.3.4807-to-1.8.4.4878-enUS-patch.exe
C:\Program Files\World of Warcraft\Readme\WoW.exe
C:\Program Files\World of Warcraft\Readme\WowError.exe
C:\WINDOWS\Аdobe\dllhost.exe
Listing User Accounts:
User accounts for \\BATTLESTATIONCZ
Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0
Finished
liverdrop
2007-06-08, 01:17
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 1:02:53 PM 6/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\bhyvxvxo.ini
C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\ilwjooyu.dll
C:\WINDOWS\system32\jkklkhh.dll
C:\WINDOWS\system32\opnmjhf.dll
C:\WINDOWS\system32\oxvxvyhb.dll
C:\WINDOWS\system32\qttss.bak1
C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\ssqomlj.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\tuvursp.dll
C:\WINDOWS\system32\vylymuaw.dll
C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\wvuvwut.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bhyvxvxo.ini
C:\WINDOWS\system32\bhyvxvxo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\gebbxwu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilwjooyu.dll
C:\WINDOWS\system32\ilwjooyu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkklkhh.dll
C:\WINDOWS\system32\jkklkhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnmjhf.dll
C:\WINDOWS\system32\opnmjhf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oxvxvyhb.dll
C:\WINDOWS\system32\oxvxvyhb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.bak1
C:\WINDOWS\system32\qttss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\qttss.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomlj.dll
C:\WINDOWS\system32\ssqomlj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvursp.dll
C:\WINDOWS\system32\tuvursp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vylymuaw.dll
C:\WINDOWS\system32\vylymuaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\wvututq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvuvwut.dll
C:\WINDOWS\system32\wvuvwut.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 2:42:58 PM 6/6/2007
Listing files found while scanning....
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 5:25:09 PM 6/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebbawt.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\nnnomkj.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebbawt.dll
C:\WINDOWS\system32\gebbawt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnomkj.dll
C:\WINDOWS\system32\nnnomkj.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 6:02:41 PM 6/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\awttrro.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\mljifcd.dll
C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\rqrppqr.dll
C:\WINDOWS\system32\wvuvtrp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awttrro.dll
C:\WINDOWS\system32\awttrro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljifcd.dll
C:\WINDOWS\system32\mljifcd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\pmnopqo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrppqr.dll
C:\WINDOWS\system32\rqrppqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvuvtrp.dll
C:\WINDOWS\system32\wvuvtrp.dll Has been deleted!
Performing Repairs to the registry.
Done!
liverdrop
2007-06-08, 01:18
Logfile of HijackThis v1.99.1
Scan saved at 6:14:28 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\system32\ipmon.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\wvututq.dll (file missing)
O2 - BHO: (no name) - {1D689806-AC94-46D5-8F80-9FC3387EDC7D} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {274B5F83-135E-463C-9B23-44B37B4A0A70} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\mljifcd.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\fhpvybtb.dll
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B517B153-04DE-4143-8397-8902D56F8E42} - C:\WINDOWS\system32\ufwmrcpp.dll (file missing)
O2 - BHO: (no name) - {FDA95400-4057-4D81-8C68-D377F899FAE7} - C:\WINDOWS\system32\jkklj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [j1291532] rundll32 C:\WINDOWS\system32\j1291532.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\oxvxvyhb.dll",realset
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\§?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s§?stem\n§àpdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\SYSTEM32\winmyy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Ok looks better but we still have lots of work to do...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
liverdrop
2007-06-11, 07:38
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-10 11:14:00 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ahhbgwov.dll
C:\WINDOWS\system32\hliawihn.dll
C:\WINDOWS\system32\winmyy32.dll
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.tmp
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.tmp
C:\WINDOWS\system32\jkhhh.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\67GV8TK2\www.inter-focus.cn
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\67GV8TK2\www.inter-focus.cn\240180JP_Dark.swf\IFFLASHAD.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\67GV8TK2\www.inter-focus.cn\IF240180JP_016.swf\IFFLASHAD.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\67GV8TK2\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\avp.exe
C:\WINDOWS\hosts
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wnsapisu.exe
C:\WINDOWS\system32\wpcap.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))
2007-06-10 10:56 93,696 --a------ C:\WINDOWS\system32\drvwuw.dll
2007-06-10 10:56 33,302 --a------ C:\WINDOWS\system32\ddcywtu.dll
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 10:16 93,696 --a------ C:\WINDOWS\system32\drvvux.dll
2007-06-10 10:16 33,302 --a------ C:\WINDOWS\system32\xxyvurs.dll
2007-06-07 18:03 93,696 --a------ C:\WINDOWS\system32\drvpul.dll
2007-06-07 14:27 93,696 --a------ C:\WINDOWS\system32\drvjum.dll
2007-06-07 12:03 93,696 --a------ C:\WINDOWS\system32\drvjak.dll
2007-06-06 23:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-06 20:03 55,316 --a------ C:\WINDOWS\system32\fhpvybtb.dll
2007-06-06 19:54 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-06 14:34 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 14:32 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-06 13:33 55,316 --a------ C:\WINDOWS\system32\amrgvsxb.dll
2007-06-06 13:02 <DIR> d-------- C:\VundoFix Backups
2007-06-06 12:44 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-06 00:10 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-06 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 00:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 22:43 60,928 --a------ C:\WINDOWS\system32\pif.dll
2007-06-05 22:43 <DIR> d-------- C:\WINDOWS\sуstem
2007-06-05 22:42 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\jmrotsvu.exe
2007-06-05 22:42 <DIR> d-------- C:\WINDOWS\Аdobe
2007-06-05 22:35 351,526 --a------ C:\WINDOWS\WBDDA34I.DLL
2007-06-05 22:18 2,580 --a------ C:\WINDOWS\system32\ptjfllbb.exe
2007-06-05 22:12 14,868 --a------ C:\WINDOWS\system32\gjtpgqdf.exe
2007-06-05 22:12 10,752 --a------ C:\WINDOWS\system32\j1291532.dll
2007-06-05 22:01 30,720 --a------ C:\WINDOWS\system32\ipmon.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 14:50:27 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 04:05:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 18:46:38 -------- d-----w C:\Program Files\DivX
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1D689806-AC94-46D5-8F80-9FC3387EDC7D}=C:\WINDOWS\system32\geedc.dll []
{274B5F83-135E-463C-9B23-44B37B4A0A70}=C:\WINDOWS\system32\ssttq.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\system32\xxyvurs.dll [2007-06-10 10:16]
{9A04496D-82F3-8D7F-D97F-83ADDBE426C8}=C:\WINDOWS\system32\pif.dll [2007-05-21 09:59]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{FDA95400-4057-4D81-8C68-D377F899FAE7}=C:\WINDOWS\system32\jkklj.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ipmon"="ipmon.exe" [2007-06-05 22:01 C:\WINDOWS\system32\ipmon.exe]
"jmrotsvu.exe"="C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe" [2007-06-05 22:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 21:46]
"Cpue"="C:\WINDOWS\Аdobe\dllhost.exe" []
"Wsjokl"="C:\WINDOWS\sуstem\nоpdb.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"E76DAFCF"=C:\WINDOWS\system32\rsbmsc.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\xxyvurs.dll" [2007-06-10 10:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvurs]
xxyvurs.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 11:23:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-10 11:27:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-10 11:26
--- E O F ---
Ok...
Please download and run Flash_Disinfector by sUBs (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe)
Restart the computer and post a fresh HijackThis log along with a fresh ComboFix log :bigthumb:
liverdrop
2007-06-13, 09:03
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-12 23:28:27 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\dicwsrtl.dll
C:\WINDOWS\system32\hdwrgfnl.dll
C:\WINDOWS\system32\pftcdmdc.dll
C:\WINDOWS\system32\pjywblqv.dll
C:\WINDOWS\system32\svynjicl.dll
C:\WINDOWS\system32\xfsgrnxv.dll
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\ltrswcid.ini
C:\WINDOWS\system32\lcijnyvs.ini
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\awvvv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))
2007-06-12 23:19 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-06-12 23:19 <DIR> drahs---- C:\autorun.inf
2007-06-10 10:56 93,696 --a------ C:\WINDOWS\system32\drvwuw.dll
2007-06-10 10:56 33,302 --a------ C:\WINDOWS\system32\ddcywtu.dll
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 10:16 93,696 --a------ C:\WINDOWS\system32\drvvux.dll
2007-06-10 10:16 33,302 --a------ C:\WINDOWS\system32\xxyvurs.dll
2007-06-07 18:03 93,696 --a------ C:\WINDOWS\system32\drvpul.dll
2007-06-07 14:27 93,696 --a------ C:\WINDOWS\system32\drvjum.dll
2007-06-07 12:03 93,696 --a------ C:\WINDOWS\system32\drvjak.dll
2007-06-06 23:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-06 20:03 55,316 --a------ C:\WINDOWS\system32\fhpvybtb.dll
2007-06-06 19:54 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-06 14:34 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 14:32 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-06 13:33 55,316 --a------ C:\WINDOWS\system32\amrgvsxb.dll
2007-06-06 13:02 <DIR> d-------- C:\VundoFix Backups
2007-06-06 12:44 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-06 00:10 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-06 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 00:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 22:43 60,928 --a------ C:\WINDOWS\system32\pif.dll
2007-06-05 22:43 <DIR> d-------- C:\WINDOWS\s§åstem
2007-06-05 22:42 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\jmrotsvu.exe
2007-06-05 22:42 <DIR> d-------- C:\WINDOWS\§¡dobe
2007-06-05 22:35 351,526 --a------ C:\WINDOWS\WBDDA34I.DLL
2007-06-05 22:18 2,580 --a------ C:\WINDOWS\system32\ptjfllbb.exe
2007-06-05 22:12 14,868 --a------ C:\WINDOWS\system32\gjtpgqdf.exe
2007-06-05 22:12 10,752 --a------ C:\WINDOWS\system32\j1291532.dll
2007-06-05 22:01 30,720 --a------ C:\WINDOWS\system32\ipmon.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-11 14:56:23 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 04:05:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 18:46:38 -------- d-----w C:\Program Files\DivX
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1D689806-AC94-46D5-8F80-9FC3387EDC7D}=C:\WINDOWS\system32\geedc.dll []
{274B5F83-135E-463C-9B23-44B37B4A0A70}=C:\WINDOWS\system32\ssttq.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\system32\xxyvurs.dll [2007-06-10 10:16]
{9A04496D-82F3-8D7F-D97F-83ADDBE426C8}=C:\WINDOWS\system32\pif.dll [2007-05-21 09:59]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{FDA95400-4057-4D81-8C68-D377F899FAE7}=C:\WINDOWS\system32\jkklj.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ipmon"="ipmon.exe" [2007-06-05 22:01 C:\WINDOWS\system32\ipmon.exe]
"jmrotsvu.exe"="C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe" [2007-06-05 22:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 21:46]
"Cpue"="C:\WINDOWS\§¡dobe\dllhost.exe" []
"Wsjokl"="C:\WINDOWS\s§åstem\n§àpdb.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"E76DAFCF"=C:\WINDOWS\system32\rsbmsc.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\xxyvurs.dll" [2007-06-10 10:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvurs]
xxyvurs.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 23:37:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-12 23:41:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 23:41
C:\ComboFix2.txt ... 2007-06-10 11:27
--- E O F ---
liverdrop
2007-06-13, 09:04
Logfile of HijackThis v1.99.1
Scan saved at 11:25:51 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\system32\ipmon.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D689806-AC94-46D5-8F80-9FC3387EDC7D} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {274B5F83-135E-463C-9B23-44B37B4A0A70} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxyvurs.dll
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {FDA95400-4057-4D81-8C68-D377F899FAE7} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {FE762005-5413-44FD-94E2-21BE6951F22F} - C:\WINDOWS\system32\awvvv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\¡ì?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s¡ì?stem\n¡ì¨¤pdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: awvvv - C:\WINDOWS\system32\awvvv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyvurs - C:\WINDOWS\SYSTEM32\xxyvurs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
You ran flash disinfector?
Please delete any previous versions of VundoFix.
Then we'll remove the old Java so that we'll get you clean Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 5.0 Update 2
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
liverdrop
2007-06-15, 03:54
Thank you so much!
Heres the Vundofix log, I am not home right now, but the person who ran the programs told me that Hijackthis did not produce a new log. I don't know if that's suppose to happen?
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 1:02:53 PM 6/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\bhyvxvxo.ini
C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\ilwjooyu.dll
C:\WINDOWS\system32\jkklkhh.dll
C:\WINDOWS\system32\opnmjhf.dll
C:\WINDOWS\system32\oxvxvyhb.dll
C:\WINDOWS\system32\qttss.bak1
C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\ssqomlj.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\tuvursp.dll
C:\WINDOWS\system32\vylymuaw.dll
C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\wvuvwut.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bhyvxvxo.ini
C:\WINDOWS\system32\bhyvxvxo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\gebbxwu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilwjooyu.dll
C:\WINDOWS\system32\ilwjooyu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkklkhh.dll
C:\WINDOWS\system32\jkklkhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnmjhf.dll
C:\WINDOWS\system32\opnmjhf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oxvxvyhb.dll
C:\WINDOWS\system32\oxvxvyhb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.bak1
C:\WINDOWS\system32\qttss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\qttss.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomlj.dll
C:\WINDOWS\system32\ssqomlj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvursp.dll
C:\WINDOWS\system32\tuvursp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vylymuaw.dll
C:\WINDOWS\system32\vylymuaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\wvututq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvuvwut.dll
C:\WINDOWS\system32\wvuvwut.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 2:42:58 PM 6/6/2007
Listing files found while scanning....
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 5:25:09 PM 6/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebbawt.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\nnnomkj.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebbawt.dll
C:\WINDOWS\system32\gebbawt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnomkj.dll
C:\WINDOWS\system32\nnnomkj.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 6:02:41 PM 6/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\awttrro.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\mljifcd.dll
C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\rqrppqr.dll
C:\WINDOWS\system32\wvuvtrp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awttrro.dll
C:\WINDOWS\system32\awttrro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljifcd.dll
C:\WINDOWS\system32\mljifcd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\pmnopqo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrppqr.dll
C:\WINDOWS\system32\rqrppqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvuvtrp.dll
C:\WINDOWS\system32\wvuvtrp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 1:43:55 AM 6/14/2007
Listing files found while scanning....
C:\windows\system32\ddcywtu.dll
C:\windows\system32\gjtpgqdf.exe
C:\windows\system32\j1291532.dll
C:\windows\system32\ptjfllbb.exe
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.ini
C:\windows\system32\vkratfxr.dll
C:\WINDOWS\system32\vtstq.dll
C:\windows\system32\xxyvurs.dll
Beginning removal...
Attempting to delete C:\windows\system32\ddcywtu.dll
C:\windows\system32\ddcywtu.dll Has been deleted!
Attempting to delete C:\windows\system32\gjtpgqdf.exe
C:\windows\system32\gjtpgqdf.exe Has been deleted!
Attempting to delete C:\windows\system32\j1291532.dll
C:\windows\system32\j1291532.dll Has been deleted!
Attempting to delete C:\windows\system32\ptjfllbb.exe
C:\windows\system32\ptjfllbb.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini Has been deleted!
Attempting to delete C:\windows\system32\vkratfxr.dll
C:\windows\system32\vkratfxr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vtstq.dll Has been deleted!
Attempting to delete C:\windows\system32\xxyvurs.dll
C:\windows\system32\xxyvurs.dll Has been deleted!
Performing Repairs to the registry.
Done!
liverdrop
2007-06-15, 10:48
sorry...nvm the no log thing...
Logfile of HijackThis v1.99.1
Scan saved at 1:34:55 AM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D689806-AC94-46D5-8F80-9FC3387EDC7D} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {274B5F83-135E-463C-9B23-44B37B4A0A70} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A96B8B7-5943-4EA2-96D9-08A7A98E2EC0} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxyvurs.dll (file missing)
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {FDA95400-4057-4D81-8C68-D377F899FAE7} - C:\WINDOWS\system32\jkklj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\¡ì?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s¡ì?stem\n¡ì¨¤pdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download and run Flash_Disinfector by sUBs (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Look in your control panels add/remove programs for any of these and uninstall them:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
jmrotsvu.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {1D689806-AC94-46D5-8F80-9FC3387EDC7D} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {274B5F83-135E-463C-9B23-44B37B4A0A70} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {5A96B8B7-5943-4EA2-96D9-08A7A98E2EC0} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxyvurs.dll (file missing)
O2 - BHO: (no name) - {9A04496D-82F3-8D7F-D97F-83ADDBE426C8} - C:\WINDOWS\system32\pif.dll
O2 - BHO: (no name) - {FDA95400-4057-4D81-8C68-D377F899FAE7} - C:\WINDOWS\system32\jkklj.dll (file missing)
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\¡ì?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s¡ì?stem\n¡ì¨¤pdb.exe
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\pif.dll
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\system32\drvwuw.dll
C:\WINDOWS\system32\drvvux.dll
C:\WINDOWS\system32\drvpul.dll
C:\WINDOWS\system32\drvjum.dll
C:\WINDOWS\system32\drvjak.dll
C:\WINDOWS\system32\fhpvybtb.dll
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\amrgvsxb.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\WBDDA34I.DLL
C:\WINDOWS\system32\ptjfllbb.exe
C:\WINDOWS\system32\gjtpgqdf.exe
C:\WINDOWS\system32\j1291532.dll
C:\WINDOWS\system32\ipmon.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: Info.exe
Search for this and delete if found: ipmon.exe
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run Flash_Disinfector tool.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Run ComboFix again.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- fresh ComboFix log
liverdrop
2007-06-18, 02:56
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-17 11:00:35 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\jtgutyjo.dll
C:\WINDOWS\system32\rybnbwkj.dll
C:\WINDOWS\system32\ojytugtj.ini
C:\WINDOWS\system32\jkwbnbyr.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))
2007-06-17 09:54 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-06-17 09:11 <DIR> d-------- C:\!KillBox
2007-06-17 08:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-17 08:15 84,004,826 --a------ C:\RegBackup.reg
2007-06-15 23:49 99,072 --a------ C:\mevqvvvb1.exe
2007-06-15 23:49 94,976 --a------ C:\mevqvvvb3.exe
2007-06-15 23:49 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-15 23:49 100,096 --a------ C:\mevqvvvb2.exe
2007-06-14 01:38 62,516 --a------ C:\WINDOWS\system32\rnxfstkh.dll
2007-06-12 23:19 <DIR> drahs---- C:\autorun.inf
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 23:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-06 14:34 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 14:32 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-06 13:02 <DIR> d-------- C:\VundoFix Backups
2007-06-06 12:44 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-06 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 00:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 22:43 <DIR> d-------- C:\WINDOWS\s§åstem
2007-06-05 22:42 <DIR> d-------- C:\WINDOWS\§¡dobe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-17 13:12:20 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 04:05:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"jmrotsvu.exe"="C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe" []
"ipmon"="ipmon.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 21:46]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Cpue"="C:\WINDOWS\§¡dobe\dllhost.exe" []
"Wsjokl"="C:\WINDOWS\s§åstem\n§àpdb.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"E76DAFCF"=C:\WINDOWS\system32\rsbmsc.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 11:05:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-17 11:06:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-17 11:06
C:\ComboFix2.txt ... 2007-06-12 23:41
C:\ComboFix3.txt ... 2007-06-10 11:27
--- E O F ---
liverdrop
2007-06-18, 02:59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A V G A n t i - S p y w a r e - S c a n R e p o r t
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ C r e a t e d a t : 1 0 : 5 4 : 4 4 A M 6 / 1 7 / 2 0 0 7
+ S c a n r e s u l t :
C : \ P r o g r a m F i l e s \ A W S \ W e a t h e r B u g \ M i n i B u g T r a n s p o r t e r . d l l - > A d w a r e . A w s : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ R e a l \ W e a t h e r B u g \ M i n i B u g T r a n s p o r t e r . d l l - > A d w a r e . M i n i b u g : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ p i f . d l l - > A d w a r e . P u r i t y S c a n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ P r o g r a m F i l e s \ H i j a c k T h i s \ b a c k u p s \ b a c k u p - 2 0 0 7 0 6 1 7 - 0 9 1 0 3 6 - 9 5 4 . d l l - > A d w a r e . P u r i t y S c a n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ P r o g r a m F i l e s \ U l t i m a t e D e f e n d e r - > A d w a r e . R o g u e S u s p e c t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / m l s d f 8 h 6 7 8 4 5 0 4 . e x e - > B a c k d o o r . H a c D e f . h g : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / m a x 1 d 1 6 4 1 . e x e - > D i a l e r . G B D i a l e r . j : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 3 3 . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 4 2 . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 3 2 . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 4 B . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 6 1 4 . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 7 3 . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n E . t m p . e x e - > D o w n l o a d e r . A g e n t . b r f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 2 8 . t m p . e x e - > D o w n l o a d e r . A l p h a b e t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 4 F F . t m p . e x e - > D o w n l o a d e r . A l p h a b e t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 E . t m p . e x e - > D o w n l o a d e r . A l p h a b e t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s m g r . e x e . v i r - > D o w n l o a d e r . A l p h a b e t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ W I N D O W S \ s m a n a g e r . 7 . e x e ~ - > D o w n l o a d e r . A l p h a b e t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ a v p . e x e . v i r - > D o w n l o a d e r . A l p h a b e t . b : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ s y s m o n 3 2 . e x e - > D o w n l o a d e r . A l p h a b e t . c : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ P r o g r a m F i l e s \ C o m m o n F i l e s \ Y a z z l e 1 1 6 2 O i n A d m i n . e x e . v i r - > D o w n l o a d e r . P u r i t y S c a n . e g : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 3 1 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 3 E . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 4 9 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 9 F . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 D 5 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 F 8 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 6 1 2 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 7 0 . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n C . t m p . e x e - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s v c h o s t . e x e . v i r - > L o g g e r . A g e n t . o r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
: m o z i l l a . 2 5 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 2 6 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 3 0 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 3 5 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 3 5 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 3 9 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 6 5 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 8 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .
: m o z i l l a . 7 2 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . A d o b e : C l e a n e d .
: m o z i l l a . 7 4 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . B u r s t b e a c o n : C l e a n e d .
: m o z i l l a . 4 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . E s t a t : C l e a n e d .
: m o z i l l a . 5 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . F o r t u n e c i t y : C l e a n e d .
: m o z i l l a . 5 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . F o r t u n e c i t y : C l e a n e d .
: m o z i l l a . 7 8 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . G o o g l e a d s e r v i c e s : C l e a n e d .
: m o z i l l a . 7 8 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . G o o g l e a d s e r v i c e s : C l e a n e d .
: m o z i l l a . 1 3 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . H o t l o g : C l e a n e d .
: m o z i l l a . 4 8 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 4 8 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 4 8 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 5 1 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 5 1 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 5 1 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 5 2 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 5 2 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
liverdrop
2007-06-18, 03:00
: m o z i l l a . 5 2 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . L i v e p e r s o n : C l e a n e d .
: m o z i l l a . 1 3 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M a s t e r s t a t s : C l e a n e d .
: m o z i l l a . 5 0 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 5 0 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 5 0 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 5 0 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 5 1 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 5 1 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .
: m o z i l l a . 3 6 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .
: m o z i l l a . 3 6 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .
: m o z i l l a . 3 9 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .
: m o z i l l a . 3 8 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . P a y c o u n t e r : C l e a n e d .
: m o z i l l a . 4 1 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . Q u e s t i o n m a r k e t : C l e a n e d .
: m o z i l l a . 4 1 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . Q u e s t i o n m a r k e t : C l e a n e d .
: m o z i l l a . 4 1 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . Q u e s t i o n m a r k e t : C l e a n e d .
: m o z i l l a . 3 4 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 4 4 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .
: m o z i l l a . 6 8 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e a l t r a c k e r : C l e a n e d .
: m o z i l l a . 4 5 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e v e n u e : C l e a n e d .
: m o z i l l a . 4 6 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e v s c i : C l e a n e d .
: m o z i l l a . 4 6 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e v s c i : C l e a n e d .
: m o z i l l a . 4 6 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R e v s c i : C l e a n e d .
: m o z i l l a . 3 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R u 4 : C l e a n e d .
: m o z i l l a . 3 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R u 4 : C l e a n e d .
: m o z i l l a . 3 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R u 4 : C l e a n e d .
: m o z i l l a . 3 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R u 4 : C l e a n e d .
: m o z i l l a . 3 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . R u 4 : C l e a n e d .
: m o z i l l a . 5 2 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .
: m o z i l l a . 5 2 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .
: m o z i l l a . 5 3 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .
: m o z i l l a . 5 3 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .
: m o z i l l a . 5 3 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .
: m o z i l l a . 3 5 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S k y p e : C l e a n e d .
: m o z i l l a . 5 4 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S k y p e : C l e a n e d .
: m o z i l l a . 8 5 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S m a r t a d s e r v e r : C l e a n e d .
: m o z i l l a . 8 5 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S m a r t a d s e r v e r : C l e a n e d .
: m o z i l l a . 8 6 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S m a r t a d s e r v e r : C l e a n e d .
: m o z i l l a . 8 6 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S m a r t a d s e r v e r : C l e a n e d .
: m o z i l l a . 1 0 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S t a r w a r e : C l e a n e d .
: m o z i l l a . 1 0 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S t a r w a r e : C l e a n e d .
: m o z i l l a . 6 2 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S t a r w a r e : C l e a n e d .
: m o z i l l a . 5 7 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .
: m o z i l l a . 5 7 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .
: m o z i l l a . 5 7 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .
: m o z i l l a . 5 7 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .
: m o z i l l a . 5 7 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .
: m o z i l l a . 2 3 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a c k i n g 1 0 1 : C l e a n e d .
: m o z i l l a . 6 0 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 0 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
liverdrop
2007-06-18, 03:01
: m o z i l l a . 6 0 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 0 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 0 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 0 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 0 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 1 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d .
: m o z i l l a . 6 1 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 1 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 1 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 1 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 1 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 6 2 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .
: m o z i l l a . 4 5 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . V a l u e a d : C l e a n e d .
: m o z i l l a . 4 5 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . V a l u e a d : C l e a n e d .
: m o z i l l a . 4 5 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . V a l u e a d : C l e a n e d .
: m o z i l l a . 4 5 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . V a l u e a d : C l e a n e d .
: m o z i l l a . 4 5 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . V a l u e a d : C l e a n e d .
: m o z i l l a . 2 3 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . W e b t r e n d s : C l e a n e d .
: m o z i l l a . 9 0 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .
: m o z i l l a . 9 0 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 0 v f 1 i d r i . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .
C : \ ! K i l l B o x \ d r v j a k . d l l - > T r o j a n . A g e n t . q t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ d r v j u m . d l l - > T r o j a n . A g e n t . q t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ d r v p u l . d l l - > T r o j a n . A g e n t . q t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ d r v v u x . d l l - > T r o j a n . A g e n t . q t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ ! K i l l B o x \ d r v w u w . d l l - > T r o j a n . A g e n t . q t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 2 C . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 4 F D . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 0 3 . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 2 B . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 4 4 . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 6 A . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 9 A . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 D 1 . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 5 F 9 . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 6 2 . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ D e s k t o p \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n 6 C . t m p . e x e - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ w i n m y y 3 2 . d l l . v i r - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ w n s a p i s u . e x e . v i r - > T r o j a n . S m a l l : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .
: : R e p o r t e n d
liverdrop
2007-06-18, 03:02
Logfile of HijackThis v1.99.1
Scan saved at 11:07:53 AM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\¡ì?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s¡ì?stem\n¡ì¨¤pdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
OK looks better but not clean yet...
Please post an uninstall list to here. Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.
Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here
liverdrop
2007-06-22, 11:19
¡¤??y?¡è¨¨¡¥¨ª?¨¦???¨°¡Á¨ª¨º?¨¤¡ã?
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe Reader Chinese Simplified Fonts
Adobe Shockwave Player
Adobe? Photoshop? Album Starter Edition 3.0
AIM 6.0
AOL Instant Messenger
Apache Tomcat 5.5 (remove only)
Apple Software Update
AVG Anti-Spyware 7.5
BroadJump Client Foundation
ChinaGate - Skype 2.5
Commandos 3 - Destination Berlin
Digital Media Reader
DivX
DivX Player
DivX Web Player
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
iPod for Windows 2006-03-23
IrfanView (remove only)
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_19
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 SDK Standard Edition v1.3.1_19
Java Web Start
Lexmark Photo Center
Lexmark Z700-P700 Series
LimeWire 4.12.6
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Pandora's Box
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML4 Parser
Outerinfo
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3 S3TrayPlus
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
TextPad 4.7
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Ventrilo Client
VIA/S3G Display Driver
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
World of Warcraft
liverdrop
2007-06-22, 11:19
StartupList report, 6/21/2007, 11:18:36 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\scanner.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16473)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\foundersc\consummate\fzwmb.exe
C:\Program Files\foundersc\consummate\LiveUpdate.exe
C:\Program Files\foundersc\consummate\xiadan.exe
C:\Program Files\HijackThis\scanner.exe.exe
C:\WINDOWS\system32\notepad.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SunKistEM = C:\Program Files\Digital Media Reader\shwiconem.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
VTTrayp = VTtrayp.exe
SoundMan = SOUNDMAN.EXE
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
VTTimer = VTTimer.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
jmrotsvu.exe = C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
ipmon = ipmon.exe
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
E76DAFCF = C:\WINDOWS\system32\rsbmsc.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Aim6 =
AdobeUpdater = C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Cpue = "C:\WINDOWS\§¡dobe\dllhost.exe" -vt yazb
Wsjokl = C:\WINDOWS\s§åstem\n§àpdb.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar4.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Shockwave 10\Download.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\swg.dll||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\res_en.dll||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\swg-2.0.301.7164\SearchWithGoogleUpdate_en.exe||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\swg-2.0.301.7164||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462||C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462||C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164||C:\WINDOWS\system32\wuapi.dll.wusetup.132000.bak||C:\WINDOWS\system32\wuauclt.exe.wusetup.132156.bak||C:\WINDOWS\system32\wuaucpl.cpl.wusetup.132421.bak||C:\WINDOWS\system32\wuaueng.dll.wusetup.133593.bak
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 8,560 bytes
Report generated in 0.016 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi again, we'll continue :)
Sorry for the wait (Midsummer ;))
You should print these instructions or save these to a text file. Follow these instructions carefully.
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
Outerinfo
and any other programs you didn't install or don't recognize - if your not sure please ask first
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\RunServices: [E76DAFCF] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\¡ì?dobe\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Wsjokl] C:\WINDOWS\s¡ì?stem\n¡ì¨¤pdb.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\mevqvvvb1.exe
C:\mevqvvvb3.exe
C:\WINDOWS\system32\scchk32.exe
C:\mevqvvvb2.exe
C:\WINDOWS\system32\rnxfstkh.dll
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: ipmon.exe
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Now run Flash_Disinfector tool again.
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp2
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode, Run ComboFix again
Post the Cure-it report and a fresh HijackThis log along with a fresh ComboFix log
liverdrop
2007-07-04, 18:19
sorry for the very long delay
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-07-04 11:09:01 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))
2007-07-04 02:11 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-07-04 02:07 82,165,568 --a------ C:\RegBackup2.reg
2007-06-27 11:49 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-17 09:54 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-06-17 09:11 <DIR> d-------- C:\!KillBox
2007-06-17 08:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-17 08:15 84,004,826 --a------ C:\RegBackup.reg
2007-06-12 23:19 <DIR> drahs---- C:\autorun.inf
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 23:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-06 14:34 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 14:32 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-06 13:02 <DIR> d-------- C:\VundoFix Backups
2007-06-06 12:44 1,642,496 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-06 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-06 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 00:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 22:43 <DIR> d-------- C:\WINDOWS\sуstem
2007-06-05 22:42 <DIR> d-------- C:\WINDOWS\Аdobe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-04 05:33:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 04:05:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 23:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 11:12:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [3808]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-04 11:14:28
C:\ComboFix-quarantined-files.txt ... 2007-07-04 11:14
C:\ComboFix2.txt ... 2007-06-17 11:06
C:\ComboFix3.txt ... 2007-06-12 23:41
--- E O F ---
liverdrop
2007-07-04, 18:20
cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP2B3.tmp\aspapp;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1;Probably BACKDOOR.Trojan;;
Process.exe;C:\Documents and Settings\Owner\Desktop\SDFix\apps;Tool.Prockill;Incurable.Moved.;
liverdrop
2007-07-04, 18:21
Logfile of HijackThis v1.99.1
Scan saved at 11:13, on 2007-07-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\catchme.cfexe
C:\WINDOWS\system32\conime.exe
C:\Program Files\HijackThis\scanner.exe.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hello :)
OK we'll continue..
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
liverdrop
2007-07-06, 09:24
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-06 02:17:45
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile
---- Kernel code sections - GMER 1.0.13 ----
PAGENDSM NDIS.sys!NdisMIndicateStatus F7371A5F 6 Bytes JMP F54C7C5E \SystemRoot\system32\drivers\fwdrv.sys
---- User code sections - GMER 1.0.13 ----
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[160] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[232] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00130F54
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00130FE0
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00130D24
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00130DB0
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00130E3C
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00130EC8
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] ws2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE[480] ws2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
liverdrop
2007-07-06, 09:25
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[520] KERNEL32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[520] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[520] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[544] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[544] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[544] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[544] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[588] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[588] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[588] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[588] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[588] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[588] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[600] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[600] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[600] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[600] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[600] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[600] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
liverdrop
2007-07-06, 09:26
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wdfmgr.exe[708] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wdfmgr.exe[708] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wdfmgr.exe[708] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[840] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[840] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[840] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[908] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[908] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[908] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[908] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[908] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00080EC8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
liverdrop
2007-07-06, 09:27
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[932] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\LEXBCES.EXE[1220] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1252] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1252] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1252] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1252] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1252] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1252] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
liverdrop
2007-07-06, 09:28
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\LEXPPS.EXE[1264] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[1552] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[1552] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[1552] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[1552] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[1552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[1552] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[1552] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Digital Media Reader\shwiconem.exe[1680] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1688] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
liverdrop
2007-07-06, 09:29
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\VTtrayp.exe[1720] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\VTtrayp.exe[1720] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\VTtrayp.exe[1720] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\iPod\bin\iPodService.exe[1732] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\iPod\bin\iPodService.exe[1732] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\iPod\bin\iPodService.exe[1732] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1760] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\WINDOWS\SOUNDMAN.EXE[1764] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\WINDOWS\SOUNDMAN.EXE[1764] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\WINDOWS\SOUNDMAN.EXE[1764] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1800] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
liverdrop
2007-07-06, 09:30
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1808] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!CreateProcessInternalA
7C81DDD6 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\VTTimer.exe[1844] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\VTTimer.exe[1844] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\VTTimer.exe[1844] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00140F54
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00140FE0
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00140D24
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00140DB0
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00140E3C
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00140EC8
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\iTunes\iTunesHelper.exe[1884] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001408C4
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00140838
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1900] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00140950
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
liverdrop
2007-07-06, 09:31
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1916] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[1924] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[1924] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[1924] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001408C4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00140838
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00140950
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00140F54
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00140FE0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00140D24
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00140DB0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00140E3C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1932] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00140EC8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] user32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1948] user32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
liverdrop
2007-07-06, 09:34
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[2036] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[2052] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[2052] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Documents and Settings\Owner\Desktop\gmer.exe[2076] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2A1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A0277 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A01F8 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A023C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A0184 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A01BE C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A02B2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F3164E C:\WINDOWS\system32\IEFRAME.dll
liverdrop
2007-07-06, 09:35
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00140F54
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00140FE0
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00140D24
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00140DB0
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00140E3C
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00140EC8
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001408C4
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00140838
.text C:\Program Files\Internet Explorer\iexplore.exe[2128] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00140950
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wscntfy.exe[2356] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wscntfy.exe[2356] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wscntfy.exe[2356] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetConnectA 42C249B2 5 Bytes JMP 00130F54
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetConnectW 42C25BA8 5 Bytes JMP 00130FE0
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00130D24
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00130DB0
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00130E3C
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00130EC8
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3168] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
liverdrop
2007-07-06, 09:36
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\AIM\aim.exe[3812] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\AIM\aim.exe[3812] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\AIM\aim.exe[3812] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00140720
.text C:\Program Files\AIM\aim.exe[3812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001408C4
.text C:\Program Files\AIM\aim.exe[3812] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00140838
.text C:\Program Files\AIM\aim.exe[3812] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00140950
---- Kernel IAT/EAT - GMER 1.0.13 ----
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F54C7B06] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F54C7B26] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F54C7B60] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F54C7B86] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F54C7B60] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F54C7B26] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F54C7B06] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F54C7B60] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F54C7B86] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F54C7B06] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F54C7B26] \SystemRoot\system32\drivers\fwdrv.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7B4C404] avg7rsw.sys
liverdrop
2007-07-06, 09:37
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7B4C404] avg7rsw.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6C85A] avgtdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F54BBB30] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6C85A] avgtdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F54BBB30] fwdrv.sys
liverdrop
2007-07-06, 09:38
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F54BB974] fwdrv.sys
Device \Driver\fwdrv \Device\FWDRV IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6C85A] avgtdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6C85A] avgtdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F54BBB30] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6C85A] avgtdi.sys
liverdrop
2007-07-06, 09:39
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F54BBB30] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F54BB974] fwdrv.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7B4C404] avg7rsw.sys
---- Registry - GMER 1.0.13 ----
Reg \Registry\USER\S-1-5-21-2437707645-3878641263-1327713641-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{13664F50-96B3-115F-107C-C65E84C93450}@nanhinngcmbbmaeajgaiidcbcgdl 0x6A 0x61 0x61 0x61 ...
Reg \Registry\USER\S-1-5-21-2437707645-3878641263-1327713641-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{13664F50-96B3-115F-107C-C65E84C93450}@madicdpfpielcbjlfmgfkdnnlc 0x6A 0x61 0x61 0x61 ...
---- Files - GMER 1.0.13 ----
ADS C:\Documents and Settings\Owner\Favorites\famat Mu:favicon
ADS C:\Documents and Settings\Owner\Favorites\Looking For Group ?Comic Archives.url:favicon
ADS C:\Documents and Settings\Owner\Favorites\:favicon
ADS C:\Documents and Settings\Owner\Favorites\:favicon
---- EOF - GMER 1.0.13 ----
Ok nothing bad there...
Let's clean the rest, post a fresh ComboFix log along with a fresh HijacKThis log :bigthumb:
liverdrop
2007-07-07, 21:08
Logfile of HijackThis v1.99.1
Scan saved at 2:07:44 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MathType\MathType.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Please also post a fresh ComboFix log :bigthumb:
liverdrop
2007-07-08, 05:37
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-07-07 14:09:27 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-05 16:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Design Science
2007-07-05 16:47 <DIR> d-------- C:\Program Files\MathType
2007-07-04 12:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 12:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-04 02:11 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-07-04 02:07 82,165,568 --a------ C:\RegBackup2.reg
2007-06-27 11:49 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-17 09:54 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-06-17 09:11 <DIR> d-------- C:\!KillBox
2007-06-17 08:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-17 08:15 84,004,826 --a------ C:\RegBackup.reg
2007-06-12 23:19 <DIR> drahs---- C:\autorun.inf
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-04 05:33:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 18:34:48 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-06-06 18:32:26 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll
2007-06-06 04:07:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 04:06:28 -------- d-----w C:\Program Files\Lavasoft
2007-06-06 04:05:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 23:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 14:14:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [1092]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-07 14:16:02
C:\ComboFix-quarantined-files.txt ... 2007-07-07 14:16
C:\ComboFix2.txt ... 2007-07-04 11:14
C:\ComboFix3.txt ... 2007-06-17 11:06
--- E O F ---
liverdrop
2007-07-08, 05:38
sorry i had to go out of the house while it was scanning.
Ok one more remaining....
Delete all old versions of Flash_Disinfector
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Please download and run Flash_Disinfector by sUBs (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe)
Restart the computer and post a fresh HijackThis log along with a fresh ComboFix log :bigthumb:
liverdrop
2007-07-10, 17:59
Logfile of HijackThis v1.99.1
Scan saved at 10:59:27 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
liverdrop
2007-07-10, 18:01
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-07-10 10:51:06 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))
2007-07-10 10:49 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-08 01:26 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-08 01:26 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-08 01:25 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-07-08 01:25 <DIR> d-------- C:\Program Files\Symantec
2007-07-05 16:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Design Science
2007-07-05 16:47 <DIR> d-------- C:\Program Files\MathType
2007-07-04 12:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 12:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-04 02:11 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-07-04 02:07 82,165,568 --a------ C:\RegBackup2.reg
2007-06-27 11:49 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-17 09:11 <DIR> d-------- C:\!KillBox
2007-06-17 08:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-17 08:15 84,004,826 --a------ C:\RegBackup.reg
2007-06-12 23:19 <DIR> drahs---- C:\autorun.inf
2007-06-10 10:35 49,152 --a------ C:\WINDOWS\nircmd.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-10 14:46:51 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-08 05:27:34 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-04 05:33:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-06-07 18:26:34 -------- d-----w C:\Program Files\Starcraft
2007-06-07 16:12:04 -------- d-----w C:\Program Files\BigFix
2007-06-07 16:11:35 -------- d-----w C:\Program Files\Diablo II
2007-06-07 00:34:50 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-06 18:34:48 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-06-06 18:32:26 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll
2007-06-06 04:07:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-06 04:06:28 -------- d-----w C:\Program Files\Lavasoft
2007-06-06 02:08:23 -------- d-----w C:\Program Files\Dragon
2007-06-05 16:26:34 -------- d-----w C:\Program Files\iTunes
2007-06-05 16:26:18 -------- d-----w C:\Program Files\iPod
2007-06-05 16:25:13 -------- d-----w C:\Program Files\QuickTime
2007-06-03 05:11:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"VTTrayp"="VTtrayp.exe" [2004-10-12 06:00 C:\WINDOWS\system32\VTTrayp.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 14:17 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 23:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Aim6"="" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 23:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-05 20:43:16 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 10:55:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [3068]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-10 10:57:27
C:\ComboFix-quarantined-files.txt ... 2007-07-10 10:57
C:\ComboFix2.txt ... 2007-07-07 14:16
C:\ComboFix3.txt ... 2007-07-04 11:14
--- E O F ---
liverdrop
2007-07-10, 18:03
Mr. Jak, I just bought a new laptop this week and I was wondering if you could recommend a free third party firewall that runs well with Win Vista? Thank you so much for all your time and efforts, you saved me much time and worries!
Hello, the previous computer looks clean now :)
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java,
Java 2 Runtime Environment, SE v1.4.1_02
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
==========
The new computer, I've been using Vista's build in firewall for now. Not really free ones available yet. (some test versions maybe) :bigthumb: